We have a client that is a major German manufacturer and they are conducting an IT Security audit on us at the moment
We've just had notification that we've failed the audit
One of the failing points is:
- Has the cloud service supplier provided assurance documentation? (E.g. SSAE-16 / ISAE 3402 ,SOC 2,3, CSA - STAR - Self Assessment, Attestation, Certification, ISO27001)
Even if you don't hold the certification they are asking for, it would be really helpful if you could elaborate on your approach to security to reassure them that their data is safe in your infrastructure
Of course I can describe all the things I do in the application but I'm unable to reassure them about the underlying infrastructure
Hopefully
Peter