For us, organisational security has been high on the agenda, so we started a new compliance process in 2021 after completing the most recent round of product compliance. There were a couple of “standard frameworks” we reviewed, but we ultimately decided to opt for SOC2.
Product Compliance First, Organisational Compliance Second
The first priority was to make sure that our product, the Okay Strong Customer Authentication platform, complied with the Regulatory Technical Standards of PSD2. We updated our compliance in 2020 and early 2021 with Prosa and SRC GmbH. There is no such thing as a certification with PSD2, but a thorough audit of the product and service guaranteed our customers that they could integrate a compliant solution into their overall PSD2 effort.
The organisation’s security and resilience was the next high priority item in line, as they are part of the overall service we provide. For this we looked at two sets of frameworks: the first was SOC 2, which is an audit framework designed by the American Institute of Certified Public Accountants (AICPA) to assess the security of organisations. The second was ISO/IEC27001 (or ISO27001), an international standard published by the International Organisation for Standardisation (ISO). We chose the former.
So, Why SOC2?
SOC2 is American, while ISO27001 is European. Given our focus on PSD2, we are clearly set in Europe, at least for now. So why did we go for SOC2?
We thoroughly reviewed both options and what it would mean for our organisation. SOC2 looked like a more appropriate step towards compliance for a lean organisation like Okay, and would allow us to focus on the most important aspect for our customers – security. We even compared the InfoSec (Information Security) requirements from our customers with SOC2 requirements. The conclusion? It made sense as we generally had a good match.
We also opened up the topic with our customers, prospects and partners. Although SOC2 comes from America, it is well perceived in our market by our stakeholders, and represents a token of our efforts to secure our processes and systems.
Continue reading at okaythis.com/blog.