Episerver Digital Experience Cloud service is ISO 27001 certified.
ISO 27001 is an information security management standard from the International Standards Organization and part of the ISO\IEC 27000 family of standards. As the most widely-used and globally recognized security standard, the benefits of compliance help ensure that all Episerver Digital Experience service customers data are better protected worldwide.
To protect the information assets associated with the Episerver Digital Experience Cloud service, Episerver has undertaken the necessary steps to achieve certification to the ISO 27001:2013 standard. This process included critical testing, inspections, assessments, and reviews of Episerver’s information security management system. The certification audits as well as certification were performed by NQA, an internationally recognized accredited certification body operating in over 32 countries with over 30 years of experience.
Compliance and certification to the standard ensures that Episerver Digital Experience Cloud customers are better protected on Episerver’s platform. ISO 27001 certification requires a 3-year certification cycle whereby annual audits are required. Episerver policies, controls, safeguards, and critical systems will continue to be reviewed, monitored, and audited for compliance to the standard to maintain certification.
Episerver Digital Experience Cloud customers will benefit from this certification with the confidence and trust that Episerver’s platform is a safe place for their data. To support compliance of the ISO 27001 standard, Episerver ensures that the following critical systems and components are in place and will continue to maintain and make improvements as appropriate:
A copy of the certification certificate will be available to all Episerver customers upon request.
Episerver’s 3 Lines of Defense strategy is based on the risk management principles adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41, Episerver has focused its responsibilities to 3 key segments for effectively managing information security risks: 1 – operation, 2 – compliance, and 3 – assurance.
Episerver’s Security Governance Board consists of Episerver’s executive management team reporting to the CEO. They are responsible for the assurance function and all assets within the organization.
Episerver’s Information Security Steering Committee is an appointed group of leaders from the respective business divisions within the organization. This team is responsible for the overall programs for our risk management as well as carrying out the protection of assets with an Information Security Management System.
The 1st line of defense from the actual operation of our program. Those responsible are from our team of professionals that directly interface with customers and partners. Working with their respective leaders, our teams utilize Episerver’s security framework and controls to protect against risk from associated assets.
The 2nd line of defense assumes the risk management function within our organization and responsible for identifying, measuring, and managing risks. The team responsible is comprised of business unit leaders from the Security Steering Committee where common policy, frameworks, and controls are created, implemented, and maintained.
The 3rd line of defense is led by our Security Governance Board and the level that managed the oversight and assurance for our information security compliance programs. This board is ultimately responsible for ownership of the assets, resources, and risk at Episerver. Leadership at this level also ensures that adequate resources are available to properly address requirements from information security standards used to measure and address risks.
Episerver’s security controls are based on a Risk Management Methodology that accounts for assets used and handled by Episerver. This framework appoints ownership assignment and responsibilities for all assets as well as any associated risks.
As risks are addressed in several effective ways, a measurement system helps understand the key impact, likelihood, and overall score. This score is carefully assessed against our tolerance set by the asset and risk owners for each. The outcome is a decision on how to handle the risk in the form of a risk treatment plan.
Risk treatment plans are intended to reduce the likelihood or impact of threats by better handling specific aspects that can be measured, monitored, and controlled.
Episerver’s incident management policies and procedures are based on the goals of quickly and efficiently dealing with information security incidents while maintaining optimal integrity of services. Based on ITIL Incident Management as well key concepts from the NIST service publication 800-61, the workflow and logic of the Episerver Incident Management Framework is focused on identifying and managing information security incidents.
While the goals of our incident management framework are focused on identification and maintaining integrity of services, our program also accounts for corrective action and preventative actions to continuously make improvements.
Episerver Digital Experience Cloud Service leverages the Microsoft Azure platform, therefore the underling infrastructure follows Microsoft Azure compliance standards, certifications, and supporting processes. Episerver Find leverages the Amazon AWS platform and therefore the underlying infrastructure follows Amazon AWS compliance standards, certifications, and supporting processes.
Microsoft Azure is compliant with more than fifty (50) of the top global compliance programs. The primary landing pages for Microsoft Azure compliance information are the Trust Center https://azure.microsoft.com/en-us/support/trust-center/ and the compliance landing page https://www.microsoft.com/en-us/TrustCenter/Compliance/default.aspx
A recent white paper on Azure Security, Privacy and compliance is also available here: http://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf