Skip to main content

ISO 27001 / FSQS / SOC 1-2

ISO 27001 / FSQS / SOC 1-2

The security of your data is paramount. We have deployed a wide range of controls and measures to manage risk, monitor, assess and respond to emerging threats and mitigate vulnerabilities. Both Mavim and our cloud-hosting partner are ISO 27001:2013 certified. Find Mavim's ISO 27001 scope statement of applicability. Our Information Security Management System (ISMS) utilizes best practices based on ISO 27001:2013 (ISMS in an integrated solution based on the Mavim application, D365 customer service hub, SharePoint and Azure DevOps). Some of the key measures we deploy include:

  • Logically isolated customer-specific network regions ensuring separation of each customer’s data;
  • Data encryption in transit and at rest, using strong encryption methods;
  • Secure encryption key management, including customers to use their own encryption keys if desired;
  • Access control based on user role and authentication, with integration to identity and directory services available (e.g. Active Directory, SAML, etc.);
  • Secure service operations based on least privilege principles with operational access protected by multi-factor authentication and encrypted VPNs;
  • Active vulnerability management via infrastructure hardening, frequent software patch management and application code analysis with our software development life cycle (SDLC), using best practices such as the open web application security project (OWASP);
  • Regular penetration tests on our infrastructure and applications (including customer penetration tests with prior arrangement;
  • Secure activity monitoring and logging for audit trail purposes;
  • Secure media disposal and no use of tapes or removable media in our SaaS service infrastructure;
  • Invalidates session ID after logout or session timeout. We also close sessions within 30 minutes after idle timeout, absolute timeout (within 4 hrs) and user logout button;
  • We secure our application sessions by using "Secure" and HttpOnly cookie attributes, changing session ID's, validating security related cookies and sessions ID's;
  • We periodically audit and remove unnecessary accounts from all components of our infrastructure. To ensure immediate removal of system access which is no longer necessary, we have rigorous HR joiner, mover, leaver processes in place as well as an escalation process in case of an urgency;
  • To connect to our infrastructure, our system and database admins use Multi Factor Authentication (MFA) with One Time Passwords (OTP). System passwords are periodically changed (without the need of a service outage). Role-based access control (RBAC) is used to authorize users on our administration API;
  • Data return and secure destruction at contract end.

ISO certificate Statement of applicability


FSQS (Financial Services Qualification System) is a community of financial institutions including banks, building societies, insurance companies and investment services, collaborating to agree a single standard for managing the increasing complexity of third and forth-party information needed to demonstrate compliance to regulators, policies and governance controls. Mavim maintains FSQS registration.

SOC 1/2 vs. ISO 27001

Mavim is a software company building transformation management software. We do not process/contain any e.g. financial or PII data and we have no direct impact on our customers financial statements. We also do not carry out any business processes for our clients (e.g. covered in ISAE 3402) or build bespoke stuff. Identity management is firmly in the hands of our customers through federation. Based on this, we at Mavim found that for the type of software and service we provide, ISO27001 best fits our service and is widely accepted. Having our information security organization in order implies our principles, processes and policies are in good standing (SOC focus) and information security is most important for our customers knowing that we do not impact their financial statements directly. We have many customers in highly regulated business and geographies and have not encountered a need to maintain a SOC certification as well. 

  • Mavim is in possession of ISO27001. Contact us for our certificate and our Statement Of Applicability (SOA). This gives you an idea about our security baseline.
  • Mavim has implemented DevSecOps. This means that we have implemented security in our DoD (Definition of done, a.o. 4 eyes policy on coding and testing), but we also have a secure release pipeline and continuous scanning on our environments and code (e.g. SonarCloud, WhiteSource Bolt, Roslyn analyzers, CredScan, Checkmarx (also code bashing), etc.). This, besides the advanced security and security baselines we switched on at MS Azure.
  • Mavim is GDPR compliant.
  • Mavim has an annual Security Maturity cycle. Meaning we have a specialized external 3rd party performing a security maturity assessment annually and full vulnerability scanning and pen testing on our environments. We also have customers that request to perform their own pen testing. We happily cooperate with this as it makes us better, we do however have a security assessment agreement we then would need to have filled in and signed by an authorized person. 
  • Mavim has a bi-weekly internal security cycle where the Security team discuss progress on (potential) security issues.
  • Our baseline can also be found on our Trustcenter. Trustcenter | Mavim

The platform is hosted on Azure. Microsoft follows strict protocols for operating, managing, and monitoring Azure. Comprehensive audits for frameworks such as ISO, SOC, FISMA and FedRAMP are conducted by accredited third-party firms that provide attestations to how data protection requirements are met.

SOC and ISO 27001 are very similar. E.g.

SOC has the so called 5 Trust Services Criteria (or, trust service principles):

  • Security: Protecting information from vulnerabilities and unauthorized access
  • Availability: Ensuring employees and clients can rely on your systems to do their work 
  • Processing integrity: Verifying that company systems operate as intended
  • Confidentiality: Protecting confidential information by limiting its access, storage, and use
  • Privacy: Safeguarding sensitive personal information against unauthorized users

and up to 64 controls (requirements).

ISO 27001, Annex A has 14 domains (will be 11 from 1 May 2024 when the new ISO 27001/2022 norm will become effective):

And up to 114 controls (requirements)

We are a software factory. The system to continuously improve security throughout the organization and our partners is more important than reporting on our spot standard checks on a fixed set of rules.

SOC 2 vs ISO27001

Copyright © 2020 Mavim B.V.