We are happy to announce that Lokalise has been certified according to ISO/IEC 27001 and ISO/IEC 27017 standards as of November 2020. As this milestone has been achieved, it is time to step back and look at the broader picture.
Today, we’re taking a closer look at what “good security” actually is and how it relates to Lokalise as a platform, service, and a company in general.
When people ask about how secure your product is, what is the first thing that comes to your mind? Is it about secure data – that no one without permission can access it? Is it about availability – that the service is always running and never goes down?
Or maybe it is all about keeping hackers away – preventing them from stealing data or affecting the system?
The more we think about this simple question, the more complicated it gets. And if we start digging into technical details, then it becomes as clear as mud.
Let’s look at this from a different perspective and ask the following question: What should a company do to ensure I can trust them with my data? This is the big revelation: TRUST is what matters the most.
Information security is important, but it is not the only factor that plays a role here. If I do not know the person or the company I want to work with, how can I trust them?
There are multiple theories around trust and how it’s built, but for the sake of this post we can say that common values or beliefs are a good starting point. Also, predictability is key:
Trust means being able to predict what other people will do and what situations will occur. If we can surround ourselves with people we trust, then we can create a safe present and an even better future
This applies to B2B relationships as well, where one company wants to understand and predict what the other company is (or will be doing) with its data. This is the point where industry-wide, accepted certifications come into play.
The ISO 27001 certification, explained in simple terms
Standards such as ISO/IEC 27001 and its relations lay a common ground for understanding each other, even when we have not met previously. It is the same as having a driver’s license – if you have one, we can safely assume that you know how to drive and follow general traffic rules, so we can happily hop into your car.
Lokalise has maintained SOC 2 Type 2 certification for more than a year already. Now, by adding IEC/ISO 27001 and its extension, IEC/ISO 27017, we can say that we have all the necessary driver’s licenses to operate and secure our system and customer data.
Now let’s look at the practical similarities and differences between the IEC/ISO 27001 and SOC 2 Type 2 certifications.
As a side note – we have to bear in mind that these certifications are governed by different organizations (ISO and AICPA, respectively) and that SOC 2 is more recognized in North America while ISO 27001 is widely known in the rest of the world.
In terms of practical everyday security, both standards cover everything starting at the governance and risk management level, and then going down to very practical aspects like physical security, access control, incident management, and others. Some say that the difference is in 5-15% of the controls, but it also significantly depends on the implementation side of things.
When we started our security program, we already knew that one day we would hold both certifications. So, right from the very beginning the policies and processes were designed with respect to both standards.
This way, only minor adjustments were necessary to fit our information security management system (ISMS) which had already been examined twice according to SOC 2 to the ISO 27001 requirements.
One of the biggest differences between these two standards lies in the way the examinations themselves are carried out in terms of their scope:
SOC 2 Type 2
The audit looks at actual evidence of completed controls from the previous period (in our case, this was 1 year), much like in a financial audit.
Some of the elements that are examined include the way user accounts are created, whether or not all service tickets are available, how changes into production systems are introduced, if sufficient testing has been done, etc.
Every year we have to do a complete SOC 2 Type 2 examination from scratch.
ISO 27001
With ISO 27001, we are certifying the entire information security management system (ISMS). This proves that we have a company-wide, ongoing operational, risk-based, and managed security system in place, and that it’s running smoothly.
There is a 3 year certification cycle for ISO 27001 with the full audit in the first year and smaller recertification audits in the second and the third years.
The certification audit is different from SOC 2, with the main focus being on continuous improvement, risk management, and running a successful ISMS as a whole.
Nevertheless, it can get down to the same technical details as the SOC 2 audit.
The ISO/IEC 27017 (Information technology—Security techniques—Code of practice for information security controls based on ISO/IEC 27002 for cloud services) is an extension to the ISO 27001 standard, which provides guidance for the security of cloud service providers in more detail than ISO27001/2.
With this certificate, topics like the shared responsibility model, relationships between the cloud service provider and its customer, or use of shared resources, are all covered.
In a nutshell, we have been using these guidelines to align and adjust our internal processes and procedures to ensure we meet the highest standards and comply with industry best practices.
Summary
To summarize all of the above – we have done (and are doing) a lot to remain a reliable and trusted partner to our customers, in terms of security and data protection. Of course, that doesn’t mean that we are stopping here. There is a lot to be done and with the ever-changing security environment around us, we will do our best to continue improving.
This was the first, high-level introduction to Lokalise security. You can expect more detailed (and also technical) posts in the near future. In the meantime, you can learn more about Lokalise security measures on our website.
Senior Manager of Information Security and IT Operations
With over 20 years in the IT industry, I am a seasoned professional specializing in leading IT security and IT Operations teams, particularly within fast-growing start-ups. I have a proven track record of building successful IT security practices from the ground up and leading teams of over 15 consultants to deliver innovative solutions across multiple industries.
My career began in system administration and development, progressing to a focus on IT security, infrastructure management, and IT operations leadership. I maintain exceptional hands-on abilities across most modern operating systems and cloud platforms and implement key security technologies such as SIEM, DLP, and vulnerability management. Additionally, I have extensive experience in penetration testing and security consulting, formulating comprehensive protection strategies.
I have effectively led IT Operations teams to ensure seamless and efficient service delivery. I am also adept at running user awareness programs to educate and empower teams in maintaining security best practices. I have successfully managed the implementation and maintenance of ISO 27001 and SOC 2 Type II certifications, ensuring compliance and security excellence.
Recently, I expanded my expertise to cloud platforms, including Microsoft Azure, AWS, and Google Cloud Platform, to stay at the forefront of the digital landscape. I am dedicated to driving security initiatives and digital transformation by leveraging my technical background and strategic insights. My passion is empowering my teammates to do their best and never stop learning, fostering an environment of continuous improvement and innovation.
With over 20 years in the IT industry, I am a seasoned professional specializing in leading IT security and IT Operations teams, particularly within fast-growing start-ups. I have a proven track record of building successful IT security practices from the ground up and leading teams of over 15 consultants to deliver innovative solutions across multiple industries.
My career began in system administration and development, progressing to a focus on IT security, infrastructure management, and IT operations leadership. I maintain exceptional hands-on abilities across most modern operating systems and cloud platforms and implement key security technologies such as SIEM, DLP, and vulnerability management. Additionally, I have extensive experience in penetration testing and security consulting, formulating comprehensive protection strategies.
I have effectively led IT Operations teams to ensure seamless and efficient service delivery. I am also adept at running user awareness programs to educate and empower teams in maintaining security best practices. I have successfully managed the implementation and maintenance of ISO 27001 and SOC 2 Type II certifications, ensuring compliance and security excellence.
Recently, I expanded my expertise to cloud platforms, including Microsoft Azure, AWS, and Google Cloud Platform, to stay at the forefront of the digital landscape. I am dedicated to driving security initiatives and digital transformation by leveraging my technical background and strategic insights. My passion is empowering my teammates to do their best and never stop learning, fostering an environment of continuous improvement and innovation.
The International SEO Checklist: Go Global Without Growth Pains
International SEO is just SEO set on difficulty level: hard. Pick the wrong URL structure? Rebuild everything from scratch. Misunderstand local search behavior? Watch your content strategy crumble. Skip proper hreflang implementation? Google shows Hindi content to German users. The brands winning at international SEO don’t simply wing it. They follow a systematic approach to handle market research, technical setup, localization, and more. That’s why we created th
All You Need to Know About Vendor Management in Localization
You decided to open your product for the world to discover. Congratulations! Translation is one of the next steps to open the doors of the global marketplace. One problem: you do not have an in-house translator team, and now is neither the time nor the priority to hire them. One solution: connect with vendors who will assist you in your localization projects. One better solution: discover vendor management in loc
5 Best Translation Management Systems to Make Projects Easy
The traditional translation management system (TMS) is dead. It doesn’t support the many moving parts of the multilingual content lifecycle, such as managing linguistic assets and syncing with design systems to integrating with codebases, automating QA, and coordinating stakeholders across functions. Modern TMS solutions go far beyond translation. They bring together translators, developers, marketers, and designers under one roof. But with dozens of transla