I have some exciting news to share with all of you: on March 1, 2021, Devolutions’ Information Security Management System (ISMS) officially achieved certification per the ISO/IEC 27001:2013 standard.

This milestone for our information security management program is the result of an exceptional team effort, from our senior management to developers, who collectively provide a secure and resilient environment for the development and support of our products and services.

About the ISO/IEC Standard

The ISO/IEC standard includes the following ISMS clauses, which are audited as part of the certification process:

  • context of the organization
  • leadership
  • planning
  • support
  • operation
  • performance evaluation
  • improvement

In addition to these clauses, the standard includes an Annex A that contains a thorough list of information security controls that must be implemented, from background screening to cryptography. Although it is possible to justify excluding one or more of these Annex A controls, we decided to include all of them in the audit process.

For transparency, I would also like to note that the ISO/IEC 27001:2013 standard does not pertain to any technical security assurance of a specific product or service. It solely covers the framework or system by which our company manages information security in the development and support of products and services. For security-focused details of a specific product or service, we invite you to access the publicly available documents on our website or request information through our sales or support channels.

What This Means for Our Customers and Partners

Obtaining ISO/IEC 27001:2013 certification is not about giving us “bragging rights.” It is about providing our customers and partners with documented proof that we are truly committed to providing the safest products and services, and conducting due diligence and care in handling information.

Our ISO/IEC 27001:2013 certificate document is publicly available on our website [download the PDF] to meet your audit and risk management requirements. It is our hope that it will facilitate your procurement process, by helping your organization make better risk-based decisions when doing business with us.

Devolutions’ Information Security Management System will be monitored every year going forward to validate compliance with the ISO/IEC 27001:2013 standard. We are fully committed to maintaining — and even going beyond — the requirements for this standard.

From the Desk of our CSO Martin Lemay:

What a journey! Successfully passing two major compliance audits two years in a row — ISO 27001:2013 this year, and SOC 2 Type II last year — required the commitment of everyone within our organization to embrace information security as a high priority. When doing business with a vendor or a partner, I always expect some transparency of their security practices. And since I expect this from them, they should expect this from us.

With this being said, achieving certification per ISO 27001:2013 standard is not a guarantee that no incident can possibly happen. However, it does provide reliable assurance that we are effectively managing risk per an approved and accepted standard. Without credible proof, we can only base our judgment on smoke screens or empty promises.

I am proud to work for an organization that has a true commitment to transparency, and to conducting rigorous due diligence and care regarding information security. But we are definitely not going to rest on this achievement. We have rolled up our sleeves, and are moving forward towards other major information security milestones this year. Stay tuned!