Compliance for today and tomorrow

Compliance that gives you complete confidence

Technology leaders must secure and protect customer, employee and intellectual property data in an increasingly complex and risky environment. Companies must also adhere compliance with all applicable laws, even when a service provider holds and processes a company’s data on its behalf.

Learn more about compliance and choosing the right loyalty vendor

Ensure your loyalty vendor adheres to the highest compliance and security criteria—including the completion of IS27001 and SOC 2 Type II security compliance.

Annex Cloud is committed to compliance

Annex Cloud maintains a formal and comprehensive security program to ensure the security and integrity of customer data, protect against data breaches and prevent unauthorized access to data. We’re ISO 27001 and SOC 2 Type II certified since 2019 to ensure we meet the highest standards.

Why you need an Information Security Management System (ISMS)

• Without an ISMS, controls tend to be disorganized and disjointed—often point solutions for specific situations 
• Security controls typically address certain IT aspects or data security, leaving non-IT information assets vulnerable
• Business continuity planning and physical security may be managed independently of IT or information security
• HR practices may leave out the need to define and assign information security roles and responsibilities

Third-party audits and certifications

ISO27001

ISO/IEC 27001 is an international standard for how to manage information security. The standard details requirements for establishing, implementing, maintaining and continually improving an ISMS to help organizations secure their information assets. ISO/IEC 27001 covers much more than the IT department.

ISO/IEC 27001 requires that management:

• Systematically examine information security risks, including threats, vulnerabilities and impact 
• Design and implement a coherent, comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address unacceptable risks
• Adopt an overarching management process to ensure information security controls continue to meet information security needs on an ongoing basis
• Which controls will be tested as part of certification depends on the certification auditor. This can include any controls the organization has deemed within the scope of the ISMS. Testing can be to any depth or extent the auditor determines is needed to test the control has been implemented and is operating effectively. 

Additionally, ISO 27001 was strengthened with Annex Cloud Controls, which include:

• Information security policies
• Organization of information security
• Human resource security—processes applied before, during, or after employment
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development, and maintenance
• Information security incident management Information security aspects of business continuity management compliance—with internal requirements, such as policies, and with external requirements, such as laws

SOC 2 Type 2

SOC evaluation is a multi-level evaluation across multiple principles. Compliance to SOC security standards means the vendor fully meets the established security criteria and is competent to prevent unauthorized access to data. The SOC 2 report is based on the AICPA’s Trust Services Criteria and is issued annually in accordance with the AICPA’s AT Section 101 (Attest Engagements). The SOC 2 audit and report report address all Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity and Privacy).

Other areas specifically analyzed under a SOC 2 Type 2 audit include:

• How customer data integrity is protected from entry to deletion and all points during the data lifecycle
• How privacy is communicated to customers and enforced through company policies
• Protecting rights customers have regarding their data
• Steps taken to protect customer data confidentiality
• How the company guarantees data availability
• Whether access to data, software, functions, and other IT resources is restricted to authorized personnel only
• Whether physical access to sensitive locations is restricted to authorized personnel only
• Whether appropriate background screening procedures are in place
• Whether an access control and monitoring system is implemented to detect intrusions
• Whether incident response procedures are suitably developed and tested
• Whether clients and employees understand their role in using the system
• Whether hardware, software, and related infrastructure are updated regularly
• Whether any system changes are communicated to the correct personnel in time
• Whether a change management process is available to address deficiencies in control
• Whether a disaster recovery plan is tested and documented
• Whether systems for addressing environmental risks are in place
• Whether data is processed, stored, and maintained accurately and timely
• Whether risk assessment includes identification of potential threats to the system and analyzing risks associated with each threat
• Whether a fully documented data retention policy is in place
• Whether physical and logical access controls are in place