Security foundations: SOC 2 and ISO27001

October 8, 2024

Data security is as important to you as it is to us. That’s why we’re pleased to let you know that Fathom has received ISO27001 certification and been issued with the SOC 2 Type 1 report.

These external audits recognize Fathom as being compliant with security frameworks that best protect the interests of our customers and the data they hold.  

To learn more about SOC2 and ISO27001, and what this means for you when using Fathom, please read on.

What is ISO27001 and why is it important?

ISO/IEC 27001:2013 (normally known as ISO 27001) is an independent accredited certification, making it the world's best-known standard for Information Security Management Systems (ISMS).  

Being awarded the ISO27001 certification shows that Fathom has implemented the steps required to manage risks related to the security of data owned or handled by the company, and that this system respects all the best practices and principles enshrined in this International Standard.

What are the 3 principles of ISO27001?

The ISO27001 uses three principles of information security, known as the CIA triad, to provide confidence that there are the right processes in place to ensure that risks are adequately managed:

  1. Confidentiality: Only authorized persons have the right to access information.
  2. Information integrity: Only authorized persons can change the information.  
  3. vailability of data: The information must be accessible to authorized persons whenever it is needed.

What are the ISO27001 security controls?

There are a total of 93 security controls that are part of the ISMS, and despite the ISO27001 not requiring all 93, sufficient evidence is required for security controls that are not investigated.

The security controls are bucketed into the following four categories:

  1. Organizational (37 controls)
  2. People (8 controls)
  3. Physical (14 controls)
  4. Technological (34 controls)

What does ISO27001 mean for your company and Fathom?

If data security is important for you and your organization, then it is important to partner with a company with ISO27001. As an independent certification, it ensures that all appropriate security controls are investigated, and the company has been adequately assessed.

Fathom prides itself on ensuring our security and data processes are of the highest caliber, leading to this recognition at the international level.

What is the process to see our ISO27001 certification?

If you wish to receive a copy of Fathom’s ISO27001 certificate, please contact support@fathomhq.com.

What is SOC 2 and why is it important?

System and Organizations Controls 2 or more commonly SOC 2, is a United States auditing examination covering the five Trust Services Criteria (TSC): security, availability, processing integrity, confidentiality and privacy.  

This examination is then collated into a Type I or Type II report.

Created by the American Institute of Certified Public Accountants (AICPA) in the early 2000’s, the main goal was to ensure that companies were storing customer data securely and safely in a growing digital landscape, while establishing trust between service providers and customers.

What does Security TSC cover?

As the only mandatory TSC, the scope is quite large, investigating a wide range of security checks, including data usage, creation, utilization, processing, transfer, and preservation, with the ultimate analysis to view how the company is protecting customer information from vulnerabilities and unauthorized access.

The security TSC is broken down into 9 categories:

  • CC1 – Control Environment
  • CC2 – Communication and Information
  • CC3 – Risk Assessment
  • CC4 – Monitoring Activities
  • CC5 – Control Activities
  • CC6 – Logical and Physical Access Controls
  • CC7 – System Operations
  • CC8 – Change Management
  • CC9 – Risk Mitigation

What does Availability TSC cover?

AICPA defines the availability trust services criteria as “Information and systems are available for operation and use to meet the entity’s objectives.” As a service organization is offering an outsourced service to their clients, it is important to note that the service is available for the client.

Availability is a commonly included TSC, as providing evidence that systems are available for operation is key to many clients of service organizations.

What does Processing Integrity TSC cover?

Processing integrity covers whether the system processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. This criteria tests that there are no errors in processing, how data is stored and maintained, and if there are any errors, that they are detected quickly and corrected.

What does Confidentiality TSC cover?

The confidentiality trust services criteria look at how information designated as confidential is protected to meet the entity’s objectives. As confidential information can vary between organizations, the same applies to its examination. The key component is looking at contractual obligations of customer confidentiality and how this is being processed.

What does Privacy TSC cover?

As defined by AICPA, privacy trust services criteria cover the following: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in generally accepted privacy principles (GAPP).

The main difference between privacy and confidentiality is that privacy TSC protects personal information while confidentiality TSC protects non-personal information and data.

What is the process to see our SOC 2 Type I report?

Due to the sensitive nature of the SOC 2 report, there is a specific process that will need to be followed. If you would like to learn more about the process or about our SOC 2 Type I report, please contact support@fathomhq.com.

We understand that when you use Fathom, you are entrusting us with one of your most valuable assets - the financial data of your company or client. We treat this responsibility very seriously. The SOC 2 Type 1 report and the ISO27001 certification are testament to Fathom’s strong security foundations. We are now actively working towards attainment of SOC 2 Type 2. If you would like to know more about Fathom’s security measures and certifications, please contact support@fathomhq.com.

Ready to try Fathom?
Start your 14-day free trial. No credit card required.
Try for Free
C