The International Organization for Standardization (ISO) is changing the structure of the ISO 27001/27002 control framework after 20 years. The name of the standard has changed a few times — British Standard (BS) 7799 Part 1 & 2 in the 1990s, to ISO 17799 in 2000, followed by ISO 27001/27002 — but the structure of the controls have largely remained the same until now.

What’s the difference between ISO 27001 and ISO 27002?

You can get an ISO 27001 certification, but not an ISO 27002 certification because it’s not a management standard that provides a full list of compliance requirements. ISO 27002 is a supplementary standard that provides advice on how to implement information security controls, and they’re listed in Annex A of ISO 27001.

ISO 27001 requires companies to perform a risk assessment to identify risks, what controls are required to mitigate the risk, and how it should be implemented. ISO 27002 on the other hand is simply information on a control, how it works, and how it could be implemented — it doesn’t tell you whether it’s applicable to your company.

How do the ISO 27002 revisions impact your company?

Typically, ISO will provide a period of time before companies will be required to adopt the updated ISO 27001 standard, so companies have time to make changes. You can expect the new standard to be published within the next year.

ISO 27001 may also require less implementation than what ISO 27002 recommends, but we’ll have more clarity once the new ISO 27001 standard is published. There will be a few configuration and process changes that will be a lower lift such as subscribing to threat intelligence feeds. 

Navigating these changes can be confusing but Secureframe is here to help! When the new ISO 27001 standard is released, Secureframe customers will be able to easily transition over before their next audit. 

Many controls have been removed and consolidated while some new ones have been added. Instead of having 14 categories with 114 controls, there are now 4 themes with 93 controls.

New controls were added to cover the following:

Information security for use of cloud services 

Information and communication technology (ICT) readiness for business continuity

There are now five attributes for each control:

Correspondence and mappings with ISO/IEC 27002:2013 are available in Annex B in the ISO 27002 draft.

If you’re ready to get ISO 27001 compliant or renew your certification, but are unsure how to navigate these changes, Secureframe can help! Request a demo or please reach out to sales@secureframe.com and we’ll be happy to get you started.

ISO 27002 is going through a major revision: What this means for companies’ ISO 27001 certifications

Secureframe Raises $18m from Kleiner Perkins to Automate Security Compliance. Read on TechCrunch →

https://techcrunch.com/2021/03/18/secureframe-series-a-cybersecurity-compliance/

Secureframe Raises $18m Series A from Kleiner Perkins to Automate Security Compliance

Secureframe Raises $18m from Kleiner Perkins

We are excited to announce that Secureframe has raised an $18 million Series A, led by Kleiner Perkins with participation from existing investors Gradient Ventures (Google’s AI venture firm), Base10 Partners, BoxGroup, Village Global, Soma Capital, Origin Capital, and Backend Capital, and alongside operators such as Gokul Rajaram (Doordash), Leore Avidar (Lob CEO), Charley Ma (Alloy), Sam Blond (Brex CRO), Webb Stevens (Carta CPO), Bharat Mediratta (Dropbox CTO), Waseem Daher (Pilot CEO), Jeff Arnold (Pilot COO), Todd Goldberg (Eventjoy) and Rahul Vohra (Superhuman), Brianne Kimmel, Nathaniel Harley (Mantl), and dozens more.

In 2020, Secureframe started with a mission to help businesses build trust and stay secure, and the security and compliance landscape has changed a lot already. Today, security and compliance has become a top priority for all software companies, with many companies needing to show that they are secure and undergo regular security audits to be able to continue to work with customers.

Before Secureframe, getting security compliance certifications such as SOC 2 was difficult and time consuming. Companies spent an average of 6 to 12 months and tens of thousands of dollars hiring security consultants and lawyers to achieve them.

We're proud of the progress we've made in building the Secureframe platform. We’re lucky to support amazing teams using Secureframe, such as Hasura, UnitQ, Instabase, and hundreds more. And we're even more excited for the future.

A few years ago, after going through the process to renew our SOC 2 report, we thought there must be a better way. We asked ourselves, “Why are we taking screenshots, sending hundreds of emails, and tracking things in dozens of messy spreadsheets? What if we integrate with all of the services that need to be reviewed? What if we build dedicated tooling for vendor management and employee onboarding?”

We started by building a platform to automate SOC 2 and ISO 27001 compliance. Today, Secureframe integrates with 40+ services and helps customers achieve their certifications end to end. Our customers have saved hundreds of hours of their time and achieved considerable savings. And along the way, our customers have asked us to build new integrations, workflows, and vendor management tools. However, the most common requests we get are for new certifications.

This year, Secureframe will continue to expand and add new certifications such as HIPAA and PCI.

The security and compliance automation space is rapidly evolving. Over the next year we expect Secureframe to bring efficiency to these complex processes and make them faster than ever before.

We look forward to continuing our work of helping companies build trust and stay secure. This new funding will allow us to accelerate hiring, expand to new security standards, and build more amazing products for our customers. If you want to have an incredible amount of impact and the opportunity to massively change an industry, join our team. We’re hiring for all roles!

Secureframe Raises $18m from Kleiner Perkins to Automate Security Compliance

Discover the difference between a SOC 2 and ISO 27001 certification and which one is right for your organization or business.

Should you get a SOC 2 report or ISO 27001 certification? | Secureframe

Which is a better fit for your company — SOC 2, ISO 27001, or Both?

Both SOC 2 and ISO 27001 strengthen customer confidence in your organization's security practices. The short answer is that it really depends on your customers. The most important factor for deciding between SOC 2 and ISO 27001 will come down to what your target market expects and requires. In order to make your decision, you’ll want to consider a number of factors including target market, the scope of controls, cost, and project timeline. 

If you’re based in the United States and a majority of your customers are also based in the US, you should opt for undergoing a SOC 2 Audit. Since launching in 2011, the SOC 2 Type II has become the industry standard framework for third-party reports when it comes to information security compliance in the US.

If a majority of your customer base is headquartered outside of the US, you may want to opt for completing an ISO 27001 audit. An ISO 27001 certification is the gold standard for information security compliance outside of the US. 

Ultimately, this decision comes back to what your customers are requesting and what they would ultimately accept during their vendor due diligence. There are many US companies that would accept an ISO 27001 certification, and there are many companies outside of the US that would accept a SOC 2 Report.

As your company grows, you will likely opt to complete both audits in order to have full coverage across your customer base.

SOC 2 and ISO 27001 may have around 70 - 80% overlap depending on how specific controls are written. ISO 27001 is much more prescriptive than SOC 2. ISO 27001 requires a predefined set of controls and also requires exact language to be used in many policy documents as part of the company’s Information Security Management System (ISMS).

Unlike ISO 27001, SOC 2 controls are usually defined by the company in accordance with the SOC 2 Trust Services Criteria and COSO Principles. 

The process for a SOC 2 report and ISO 27001 certification varies slightly from auditor to auditor. Generally, you can expect the below processes for undergoing a SOC 2 or ISO 27001 audit.

If you want your audit completed sooner rather than later, you’ll likely opt for completing a SOC 2 Type I which is a point in time assessment versus a SOC 2 Type II which is over a period of time, typically between 3 to 12 months. Traditionally, companies pursue a SOC 2 Type I prior to pursuing a SOC 2 Type II. 

For a SOC 2 Type I report, audit readiness typically takes an average of 3 months of preparation work. Once audit ready, it takes a total of 2 months to conduct the audit and receive the report in hand for both. For a SOC 2 Type II report, it can take an average of 4 months to get audit ready. Once ready, the audit assessment can take between 3 to 12 months depending on your desired audit window. Once the audit window has finished, it can take an additional month to address any follow-ups and receive a report in hand. 

For an ISO 27001 certification, audit readiness takes an average of 4 months. Once audit ready, it takes an average total of 6 months to complete Stage 1 and Stage 2 audits (addressing any weaknesses in between) and receive your report. Both SOC 2 and ISO 27001 require a substantial amount of time upfront in order to build and implement the right policies, processes and controls for your company.

Because of the overlap between SOC 2 and ISO 27001, you may save an enormous amount of audit time if you opt to do both at the same time.

Cost tends to vary from auditor to auditor. Generally, ISO 27001 certification tends to be more costly than a SOC 2 report. You may receive a substantial discount if you opt to complete both audits with the same auditor. 

We summarize the differences between a SOC 2 report and ISO 27001 certification below:

If you have more questions, or want to inquire about getting a SOC 2 and a ISO 27001, request a demo or please reach out to sales@secureframe.com.

Should you get a SOC 2 report or ISO 27001 certification?

Secureframe is excited to announce a $4.5M seed round with Base10 Partners and Gradient Ventures to help further the growth of our SOC 2 and ISO 27001 compliance services.

Announcing our $4.5M Seed Round with Base10 Partners and Gradient Ventures

Today, we are excited to announce that Secureframe has raised a $4.5M seed round co-led by Base10 Partners and Gradient Ventures, Google’s AI-focused venture capital fund, with participation from BoxGroup, Village Global, Soma Capital, Liquid2, Chapter One, Worklife Ventures, Backend Capital, and a number of world-class entrepreneurs and operators. The funding will be used to invest in our rapid growth, expand our offerings, and grow our team.

Getting SOC 2 and ISO 27001 ready typically takes several months and requires companies to regularly revisit their systems to ensure compliance standards are continuously met. Maintaining your certifications takes hundreds of hours and manual tasks each year. 

Secureframe allows companies to become SOC 2 and ISO 27001 compliant within weeks, rather than months. Our platform automatically monitors 25+ services, including Amazon Web Services, Google Cloud, Microsoft Azure, Github, and JAMF, to assess security practices and ensure compliance standards are met. Secureframe continuously collects audit evidence, runs security awareness training, monitors infrastructure, and more, all automatically.

This seed funding is just a small step towards achieving our mission to make the most powerful security simple and accessible for every organization. We are humbled to work with incredible customers, partners, colleagues, and investors on this journey. We are just getting started!

We are actively hiring engineers, product managers, account executives, and more. If you are interested in joining Secureframe, check out our careers page!

Learn the differences and similarities between SOC 1 vs SOC 2 vs SOC 3 compliance reports and which one is best for your business.

SOC 1 vs SOC 2 vs SOC 3 - What’s The Difference? | Secureframe

Information security has become an integral component of building a software business, especially for companies that rely on third-party vendors such as Amazon Web Services, Google Cloud, and Microsoft Azure to store sensitive customer information. The mismanagement of a company’s data may render it vulnerable to attacks and can permanently damage its public image.

System and organization controls, better known as SOC 1, SOC 2, and SOC 3 was developed by the American Institute of CPAs (AICPA) to address as a system-level of controls for companies to guide service organizations. A CPA firm uses the SOC framework to audit various internal controls and generates a SOC report on the design and effectiveness of those internal controls.

What are the different types of SOC reports?

There are three different types of SOC reports. 

SOC 1 — Internal Control over Financial Reporting (ICFR)

SOC 3 — Trust Services Criteria for General Use Report

The SOC report that is most relevant to a company depends on the information being hosted/processed by the firm for its customers. A SOC 1 report has a financial focus. For example, if you are providing payroll processing services, SOC 1 may be required to do business. A SOC 2 report is typically requested when you are hosting/processing any other type of information for a client. SOC 3 reports are less formal in appearance than SOC 2 reports and are better suited as public marketing material for a website or white paper. There is no one-size-fits-all when it comes to SOC, since SOC controls and reports are usually unique to different service organizations.

Depending on the type of information being hosted and processed, you may be asked for both a SOC 1 report and SOC 2 report.

What is the difference between Type I and Type II?

Both SOC 1 and SOC 2 have two levels of reports specified by the Statement on Standards for Attestation Engagements (SSAE) no. 18:

Type I — describes a service organization's systems and whether the suitability and design of specified controls meet the relevant trust criteria. 

Type II — includes the above and also measures the operational effectiveness of the specified controls.

The most commonly referenced report is the SOC 2. SaaS vendors, especially those in the enterprise and mid-market space, will commonly be asked by their customer’s legal, security, and procurement departments to provide a copy of the company’s SOC 2  report.

SOC 2 is not motivated by compliance with regulations, unlike many other frameworks such as HIPAA, GDPR, and CCPA. Instead, it is used by organizations that want to prove to their clients, and others to whom they are accountable, that they put into place internal controls to protect customer data properly.

SOC 2 Types I and II are very similar and easy to confuse. The most obvious difference is the time period covered by the reports. Type I describes the suitability and design of controls at a particular point in time. Type II extends over an extended period of time, typically 3 to 12 months, and can measure how effective the controls are. This means Type II takes more time and resources, but these reasons are also why it is more valuable to your customers. Enterprise, mid-market, and other firms involved with sensitive data, such as insurance firms, often prefer to work with companies that have a SOC 2 Type II report.

For most companies, you’ll want to complete the SOC 2 Type I report first. This is because a Type I report can be completed within weeks as opposed to several months or year (or more) that a SOC 2 Type II may take.

What are the SOC 2 Trusted Services Criteria?

For SOC 2, there are five Trusted Services Criteria that can be evaluated. Out of the five, only Security is required in order to be issued a SOC 2 report.

Security — Information and systems are protected against unauthorized access and unauthorized disclosure, including potentially compromising damage to systems. Information (or data) should be protected during its collection or creation, use, processing, transmission, and storage.

Availability — Data and systems are available for operation and use. Systems include controls to support accessibility for operation, monitoring, and maintenance.

Confidentiality —The organization should protect information designated as confidential (i.e. any sensitive information).

Processing Integrity — System processing (particularly of customer data) is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.

Privacy — Personal information is collected, used, retained, disclosed, and disposed of in accordance with relevant regulations and policies. 

Will I need both a SOC 1 and SOC 2 Report?

There are a number of organizations that may need both a SOC 1 and SOC 2 report. This will depend on the breadth of services provided by the organization and its customers. You may have customers requesting a SOC 1 in some instances and in other instances you may have customers requesting a SOC 2. Again, this depends on the nature of the services and the intended use by your customers. There is overlap across both, which can streamline readiness and testing.

Visit our website to request a demo or reach out to sales@secureframe.com to learn more about how we can help you successfully complete a SOC 2 audit and receive your report faster!

SOC 1 vs SOC 2 vs SOC 3 - What’s The Difference?

Discover if your organization or business needs to obtain a SOC 2 report with this article from Secureframe.

Who needs a SOC 2 report? | Secureframe

SOC 2 is the most common security framework technology companies in the United States rely on today. But do you need it? That depends. Below are 6 reasons why companies are getting SOC 2 compliant.

To ensure their own security and compliance, many enterprise, and mid-market customers will ask you to share your SOC 2 report. SOC 2 is increasingly becoming a competitive advantage in the sales process as the de facto standard for information security in software. Without a SOC 2 report, you may see some sales processes stall or delay during intense procurement and security reviews. You may also lose deals to your competitors that have a SOC 2 report available. 

Whether you’re using, storing, accessing, or processing customer data, it’s a best practice to get a SOC 2 report. Completing the SOC 2 process will help you meet your customer's expectations of protecting their data. The SOC 2 report assures you and them that you’re safeguarding data properly and following industry-standard practices.  

The SOC 2 framework strengthens security by requiring the company to comply with a variety of internal controls specific to your company. It emphasizes the importance of identifying and mitigating risks, auditing vendor security, reviewing access controls, performing security awareness training, business continuity planning, and many more fundamental security and compliance measures that will level up your company’s security posture. 

Satisfy Contractual and Regulatory Requirements

To get a SOC 2 report, companies must build and document a number of policies and processes, streamlining requirements such as backup recovery and security incident breach notification steps that are commonly mandated by regulations such as GDPR and HIPAA. Taking the steps to put these policies and processes in place ensures that responsibility for ownership is defined. This allows your company to quickly tackle identified issues, breeze through due diligence for mergers and acquisitions, fundraising, or other major company events, more confidently address any legal and regulatory issues and easily respond to any customer's compliance requests. 

SOC 2 enables you to create a framework for identifying and addressing risks to your business, whether they stem from potential fraud, natural disasters, security attacks, or faulty operational practices. Risk management is often overlooked but is crucial to a company that wants to stay secure, grow, and understand where else they can continue to improve.

Building the internal controls necessary for SOC 2 helps to foster an understanding of security throughout your organization. We emphasize to start as early as possible, be transparent to team members about the measures you’re taking, and encourage them to honestly report any potential risks or violations. Security isn’t just the responsibility of senior management, CISO, or the engineering department – it’s everybody’s responsibility. 

Request a demo or reach out to sales@secureframe.com to learn more about how we can help you successfully complete a SOC 2 audit and receive your report faster!  

Learn everything you need to know about penetration testing with our penetration testing 101 guide from Secureframe.

Penetration Testing 101 | Secureframe

A penetration test (often abbreviated as “pen test”) is a simulated attack by a third-party meant to identify vulnerabilities in a company’s infrastructure, systems, and applications. A company can then use these findings to remediate any identified vulnerabilities.

Prevent costly breaches: As attacks become more common and take on new forms, companies are increasingly relying on pen tests to identify and address potential security gaps. A review of cybersecurity breaches since 2011 found that the average cost of a cyber-breach, at a publicly-traded company, was $116mm. Some of the costliest breaches include Equifax in 2017 ($1.7 billion), Home Depot in 2014 ($298 million), Target in 2013 ($292 million), and Marriott in 2018 ($118 million). 

Strengthen customer trust: Customers may ask for you to perform an annual third-party pen test as part of their procurement, legal, and security due diligence.

Put previous doubts to rest: A pen test can prove that previous application security issues, if any, have been resolved in order to restore customer and partner confidence.

Get compliant: Pen tests are commonly required to comply with certain regulatory and compliance frameworks (SOC 2, GDPR, ISO 27001, PCI, HIPAA, FedRamp, etc.).

Required by Providers: Are you planning on integrating with Services such as Google Workplace? If so, Google may require you to perform a penetration test in order to access certain restricted APIs.

What happens during a penetration test? 

Generally, a penetration test occurs in the following stages:

Once you’ve engaged a pen test provider, you’ll need to determine the desired scope of a pen test, including which systems and scoping methods should be used. Because the pen tester could gain access to private information during the pen test, both parties should sign a non-disclosure agreement before the start of the pen test. 

Once you’ve agreed on the scope of your pen test, the pen tester will gather publicly available information to better understand how the company works. That could entail using web crawlers to identify the most attractive targets in the company architecture, network names, domain names, and a mail server. 

3. Identifying Threats and Vulnerabilities

The pen tester will identify potential vulnerabilities in the scope of the pen test to create an attack plan. They will probe for vulnerabilities, open ports and other access points that may provide information about system architecture.

The pen tester will exploit identified vulnerabilities via common web app attacks such as SQL injection or cross-site scripting, and attempt to recreate the fallout that could occur from an actual attack. That typically means the pen tester will focus on gaining access to restricted, confidential, and/or private data. 

5. Maintaining Exploits / Lateral Movement 

As the pen tester maintains access to a system, (s)he will collect more data. The goal is to mimic a persistent presence and gain in-depth access. Advanced threats often lurk in a company’s system for months, or longer, in order to access an organization’s most sensitive data. 

The pen testing firm typically provides you with an initial report of findings and provides you with an opportunity to remediate the discovered issues. After remediation is completed, the firm will once again attempt those known exploits to determine if the remediation undertaken by the company was successful in preventing future attacks.

The pen tester then creates a report summarizing:

Exploitable vulnerabilities and the potential impact(s) of a breach (vulnerabilities should be ranked by risk level and type) 

Restricted, confidential, and/or private data that was accessed

The duration of time that the pen tester remained undetected in the company’s systems 

Whether the vulnerabilities identified were remediated or not

The report should (1) outline the largest strategic threats from a business perspective (for management) and (2) describe technical threats that should be fixed by the company team (e.g. through security upgrades). 

The cost of a penetration test is largely determined by the scope of your pen test, or the breadth and complexity of company systems. The greater the number of physical and data assets, applications / products, access points, physical office locations, vendors, and networks you have, the more expensive your penetration test will likely be. 

The cost of your pen test may also be affected by the length of pen test engagement, experience level for the third-party pen tester, tools required for the pen test, and the number of third-party pen testers involved. 

What do I have to do to meet SOC 2 or ISO 27001 requirements for the pen test?

Generally speaking, you will meet SOC 2 and/or ISO 27001 audit requirements for sufficient evidence if (1) you perform a third-party pen test at least annually from a reputable vendor or firm, and (2) you make sure to identify and resolve identified critical and high-risk vulnerabilities.

The pen test is not a firm requirement for SOC 2. However, almost all SOC 2 reports include them and many auditors require one. They are also a very frequent customer request. We strongly recommend getting a thorough pen test from a reputable vendor.

In cases where auditors don't require you to have a pen test completed, auditors will still typically require you to run vulnerability scans, rank risks resulting from these vulnerabilities, and take steps to mitigate the highest risks on a regular basis. 

ISO 27001 requires that a company prevent the exploitation of technical vulnerabilities (control A.12.6.1, Annex A, ISO 27001:2013). Performing vulnerability scanning and analysis on your network and information systems identifies security risks, but won’t necessarily tell you if these vulnerabilities are exploitable. Therefore, it’s necessary to pair vulnerability scanning with a third-party pen test to provide the best evidence to your auditor that you’re aware of vulnerabilities and how they can actually be exploited in practice. 

What are the types of penetration tests? 

There are two ways you can think about pen tests: Test Design and Attack Methods. 

Black box or “blind,” also known as an external pen test 

Because the pen tester(s) are given no information about the environment they are assessing, black box tests simulate an attack by an outsider third party connected to the internet with no prior or inside knowledge of the company. 

A “double blind” penetration test is a specialized type of black box test. During “double blind” pen tests, the company undergoing the pen test ensures that as few employees as possible are aware of the test as possible. A “double blind” pen test can accurately assess the internal security posture of your employees. 

During a gray box pen test, the pen tester(s) is (are) given some limited knowledge of the environment that they are assessing and a standard user account.

Grey box tests imitate the level of access and information that a legitimate user of a client or partner who has an account would have. 

During a white box pen test, the pen tester(s) is (are) given inside knowledge of the internal architecture of the environment they are assessing.

White box tests assess the amount of damage that a malicious current or former employee could wreak on the company. 

An internal pen test is similar to a white box test. During an internal pen test, the pen tester is given a great deal of specific information about the environment they are assessing, i.e. IP addresses, network infrastructure schematics, and protocols used plus source code.                                                               

You can also request pen testers with expertise in specific attack methods if you believe your company is particularly vulnerable: 

Application tests, including mobile, software, and web applications.

Network tests, including routing issues, firewalls, port scanning, FTP, and secure sockets.

Wireless tests, including wireless networks, low security hotspots, and access points.

Physical tests, including brute-force and on-site attacks to access physical network devices, and access points. 

Social engineering tests, including phishing attacks and impersonations meant to reveal sensitive information such passwords, business data, or other user data. Common attacks target help desks or sales representatives. 

Cloud tests, including cloud storage and document handling.

Client-side tests, in which vulnerabilities in client-side software programs are exploited.

How do I select a penetration testing firm?

Each company’s security and compliance needs are unique. In general, you may want to consider the following: 

Pen tests differ in scope and test design. 

For scope, you’ll want to consider whether you’d like a pen test of your entire company, a specific product, web applications only, or network/infrastructure only. 

For test design, you’ll generally need to decide how much information you’d like to provide to pen testers. In other words, would you want to simulate an attack by an insider or an outsider? 

Be sure to ask your provider for a clear statement of work that covers the following: 

Safety, including penetration tester background checks and continuous security recertification

Mutually Agreed Upon “Off Limits” Areas for Pen Testing, if any

Ideally, your penetration test should cover a wide variety of network, host, and application attack vectors. Examples include the OWASP Top 10, DDoS and DDoS, IDOR, remote code execution, DNS brute force, DNS Subdomain takeover, deprecated ciphers, and cross-site scripting.

If certain attack vectors are important to your company, hire teams of pen testers with different specializations. 

Additionally, you’ll want to look for pen testers with a mix of relevant technical training and practical experience. Relevant certifications include Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), GIAC Exploit Researcher & Advanced Penetration Tester (GXPN), and Offensive Security Certified Professional (OSCP).

If your company has a wide breadth of complex assets, you may want to find a pen test provider that will allow you to customize your entire pen test, including ranking the priority of assets, providing extra incentives for identifying and exploiting particular vulnerabilities, and assigning pen testers with very specific skill sets. 

Make sure that your pen test provider has adequate insurance to cover the potential of compromised or breached data from pen testing. 

You’ll want to establish strong report expectations that provide both (1) strategic, jargon-free advice for security that can be easily digested by management, and (2) ranked technical vulnerabilities with remediation suggestions, including specific instances. Key penetration test metrics include issue / vulnerability level of criticality or ranking, vulnerability type or class, and projected cost per bug.

Ready for your first pen test? At Secureframe, we’re lucky enough to partner with many fantastic penetration test firms.  After your pen test is complete, we’ll provide advice on how to interpret the results of your pen test and strengthen your company’s security posture. You can request a demo online or reach out to sales@secureframe.com if you’d like to learn more! 

Secureframe Blog

ISO 27002 is going through a major revision: What this means for companies’ ISO 27001 certifications

Secureframe Raises $18m from Kleiner Perkins to Automate Security Compliance

Should you get a SOC 2 report or ISO 27001 certification?

Announcing our $4.5M Seed Round with Base10 Partners and Gradient Ventures

SOC 1 vs SOC 2 vs SOC 3 - What’s The Difference?

Who needs a SOC 2 report?

Penetration Testing 101

Never miss a post. Subscribe!