I am signing an integration agreement. Part of our obligation is security. Does Bubble implement industry practices ([including/specifically] [the International Organization for Standardization’s standards:
ISO/IEC 27001:2005 – Information Security Management Systems – requirements and ISO-IEC 27002:2005 – Code of Practice for International Security Management,] [the Information Technology Library (ITIL) standards,] [the Control Objectives for
Information and related Technology (COBIT) standards] [or] [other applicable industry standards for information security])
And if not how do I go about making our platform compliant?
Thank you
Bubble’s SOC2 will “deal” with a lot of this. ISO 27001 maps closely to SOC2. This is just jargon meaning if you are compliant to one standard, then you are compliant to similar standards.
It costs money to become compliant, both in maturing your own Organisations processes, and then just paying for the Audit! So organisations like Bubble tend to either do ISO (more Euro centric) or SOC2 (more US centric)
Making your own platform & organisation compliant … so there is plenty of info on how to do this. But in summary it means having grown up business processes and controls. Boring stuff.
Assuming you aren’t going to embark on what is likely to be a big project to mature your organisation and seek SOC2/ISO compliance, you are likely to have to fill out a security questionnaire asking you if you comply with the necessary aspects of being secure.
Some examples - password policy - are the measures and controls you have in place sufficient?
Joiner/Leaver process, data categorisation etc etc etc it is a long and very boring list!
This is a well-worn path and you have lots of reading to do
