Great news – Venom IT has passed our 2019 ISO audits!
This year, the audit was a tad more complicated, as we have added ISO 27018 as an additional standard.
ISO 27018 establishes controls and guidelines for protecting Personally Identifiable Information (PII) within the public cloud computing environment. It also takes into account regulatory requirements such as GDPR.
Think of ISO 27018 as a code of practise – it’s the way we do things, every day.
When selecting a cloud provider, these standards are actually very important – there are some cloud providers who do not abide by strict data governance principles or codes of practise and, quite frankly, these should be avoided. A cloud provider should always follow industry best practise, and never try to hold your data ‘hostage’ or make it difficult for you to leave.
We feel that because we take this so seriously, we have numerous companies who have been with us for five to ten years, in spite of the fact that we generally work on a 30-day rolling contract; they have the option to leave any time they like, but they never have because they trust us.
Another win since implementing the ISO standards, is that our average customer satisfaction rating has also gone up – very proud of that!
Here are the main controls & guidelines:
- We respect the rights of the customer to access and delete their data
- We will process the data only for the purpose for which the customer has provided this data
- We will not use the data for marketing and advertising
- We will delete temporary files containing personal information
- We will notify the customer in case of a request for data disclosure
- We will record all the disclosures of personal data
- Where appropriate, we will disclose the information about all the sub-contractors used for processing personal data
- We will notify the customer in case of a data breach
- We will document our management policies and procedures for the cloud services we offer
- We have a policy covering the return, transfer and disposal of personal data, called the Venom IT Data Protection Policy and supported by various other policies found in the ISO 27001 suite of policies and procedures.
- We will enforce confidentiality agreements for individuals who can access personal data
- We will make restricted use of printing personal data, or storing it in any other physical form such as hand-written notes
- We have a procedure for data restoration, found in the Venom IT Backup Policy
- Physical media containing personal data may not be taken off-site without proper authorisation
- We will not use media that does not have encryption capability to store personal data
- We will always encrypt data that is transmitted over public networks
- We will destroy printed/handwritten media containing personal data in line with guidance found in the Venom IT Records Retention and Protection Policy and the Venom IT Guide on Document Shredding
- We will issue unique IDs for all cloud customers
- We will record all user access to the cloud
- We will disable the usage of expired user IDs
- We will specify the minimum security controls in contracts with customers and subcontractors
- We will restrict the deletion of data in storage assigned to other customers
- We will always disclose to the cloud customer in which countries will their data be stored
- When sending data, we will ensure that the data reaches the destination