Is your customers’ personally identifiable information (PII) data safe?

January 23, 2018

Contributed content by Justin Li, Product Marketing at Zuora.

Zuora achieves ISO 27018 compliance, which means we protect your PII data in the cloud—something every order-to-cash, billing, or financial management solution should do.

Equifax, Yahoo, Uber…these are just three of the biggest hacks you may have heard of from 2017. 2017 was the year where too often we heard about cyber attacks—cyber attacks that cost companies millions of dollars and compromised the personal data of millions of people.

And experts say don’t expect this to change anytime soon. According to Mark Nunnikhoven, vice president of cloud research at the security company Trend Micro in a recent article in CNN tech on the hacks that left us exposed in 2017: “As we do more and more of our business online, and as criminals realize the value of the data that organizations are protecting, we’re seeing more big-name breaches, more high-profile breaches.”

As a mission-critical system that handles our customers’ data AND our customers’ customers’ data, it’s imperative that our security is top-notch. That’s why we have systems, tools, and procedures in place to make sure that your PII data is protected in the cloud.

“At Zuora, our customers’ trust is our #1 value, and we take the protection of our customers’ data very seriously. Our goal is to continue strengthening our security program while providing transparency and visibility to our customers. We will continue to invest into the Security of our services and exceed industry standard best practices” – VP & CSO Pritesh Parekh, Zuora, 2018 CSO of the Year Finalist

Taking that protection one step further, today we’re excited to announce that we’re now ISO 27018 compliant!

What is ISO 27018?

ISO 27018 is part of the ISO 27000 family of standards that addresses controls and control mechanisms related to privacy, confidentiality, and technical security. Here’s a quick overview:
ISO 27001: Annual certification that verifies we have a rigorous information security management system (ISMS) in the cloud that aligns with the ISO 27002 best practices.
—Most recently, Zuora renewed ISO 27001 certification for 2017.
—ISO 27001 requires that management:

  • Systematically examines the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts.
  • Designs and implements a coherent and comprehensive suite of information security controls to address those risks that are deemed unacceptable.
  • Adopts an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis (KRYPSIS provides a full summary of ISO 27001 and why is it so important for organizations here).

ISO 27018: Annual compliance that adds PII data as part of the ISO 27001 scope.

What does ISO 27018 compliance mean for your business?

As a business, you should feel confident that the vendors you work with are constantly managing systems and running tests to ensure that your data and your customers’ data is safe. With Zuora’s 24/7 data monitoring, you can visit our trust site right now to see how our platform is doing.

In addition, ISO 27018 mandates that your personal data won’t be used for things such as advertising and marketing, without your consent. With ISO 27001 & 27018, our security team continues to push ahead to implement standards that support EU GDPR starting from May 2018.

What if companies aren’t ISO 27001 and 27018 compliant?

The number of companies out there that aren’t ISO 27001 & 27018 compliant might surprise you. And this is potentially a serious problem.

Using an order-to-cash, billing, or financial management solution without ISO 27001/27018 compliance means that:

  • Companies can sell your PII data (e.g., your billing address, buying preferences) for advertising and marketing if not otherwise specified in a previous agreement.
  • Companies aren’t required to have standardized processes when handling PII data, which can mean unsecure transfer and disposal of data.
  • Companies aren’t required to have systems in place for security threats so your data could be unmonitored and vulnerable to cyber attacks.

If you’re looking into buying an order-to-cash, billing, or financial management solution, make sure to ask the sales rep to show proof of ISO 27001 & 27018 compliance.

Learn more about protecting your business and your customers from Pritesh Parekh, VP, CSO of Zuora in this free guide: 7 Keys to Build an Enterprise Security Program.