Q: What type of third-party assurance regarding internal controls do you receive (e.g., SSAE16/SOC 2)? Are AskCody ISO 27002 compliant? May we receive a copy of the latest report? Do you produce audit reports on a regular basis that are conducted by reputable 3rd party experts? How often does the provider have their info security program audited?
A: The AskCody Information Security Policy and Rules are based on the generally accepted standards as the Information Security standard ISO/IEC 27001/ 27002 and ISAE 3000 (ISAE 3000 is the standard for assurance over non-financial information. ISAE 3000 is issued by the International Federation of Accountants (IFAC). The standard consists of guidelines for the ethical behavior, quality management, and performance of an ISAE 3000 engagement). Since January 1st 2017 we started to implement our new Information Security Policy based on ISO 27002 and now certified with ISAE 3000 (Report can be received upon request). That means we operate in accordance with ISAE 3000 guidelines and can demonstrate in a control statement that our organization’s internal management processes are conducted in accordance with the specifications set out in our Information Security Policy.
Q: Do Customers have a right to audit to validate controls? Do Customers have the right to, through an independent reputable third-party auditor, conduct annual or bi-annual vulnerability analyses and audits on Supplier's data centers, environment, and organization?
A: Upon reasonable notice, Customers have the right, through an independent reputable third-party auditor reasonably acceptable to AskCody accepting the same duties of confidentiality as set out and our contracts with Customer, to conduct annual or bi-annual vulnerability analyses and audits on Supplier's data centers, environment, and organization. Customers also have the right, through an independent reputable third party fulfilling the requirements as per the preceding sentence, to monitor Supplier’s service performance in terms of capacity management issues, e.g. response times of the service, turnaround times and similar. AskCody is based on a data center where AskCody has no rights on physical access. If the Customer requires an audit of the data center, the Customer will bear the cost for accessing the data center.
Q: Do you have a single individual who has ultimate responsibility for information security program and compliance? If so, to what level of the organization does that individual report?
A: Rune Spliid, Head of Office, firstname.lastname@example.org, is appointed Security Officer & Coordinator, responsible for ensuring that Information Security is understood, communicated and implemented accordingly at the right level in the organization, and that Information Security rules and standards are consistently implemented for AskCody. Rune Spliid is referring directly to CEO, Allan Mørch and the Board of Directors.