Information Security

To ensure data and physical security, SYSPRO enforces a robust set of policies. We conduct frequent security assessments to identify potential vulnerabilities and implement improvements to minimize risks.

Policy Guidelines

SYSPRO’s policies, processes and procedures guide our data security, ensuring confidentiality, integrity and availability in the ever-evolving digital landscape. 

SYSPRO subscribes to the CIA triad, an information security model based on three pillars, namely: confidentiality; integrity; and availability. This model provides organizations with a guide for establishing security procedures and policies that address these three critical areas.

We created and implemented policies, processes and procedures to provide a structured framework for managing risk and ensure that SYSPRO adheres to legal requirements, industry standards and best practices.

Information Security – Access Control

SYSPRO has a number of policies that focus on security to protect physical and information technology access. We regularly review security to analyze and identify possible risks and implement continuous improvement. Implementing access control is a crucial component of application security, ensuring only the right users have the right level of access to the right resources. We secure access control using current best practices that verify users and ensure appropriate control access levels are granted to users.

Cybersecurity

SYSPRO recognizes the critical importance of cybersecurity in protecting confidential information, critical infrastructure, and overall business operations. Our Policy framework outlines our commitment to establishing and maintaining a robust cybersecurity program.

This framework aligns with industry best practices and relevant regulations. It includes:

  • An Information Security policy outlining SYSPRO’s overall approach to information security and data protection.
  • A policy that defines appropriate and acceptable behavior regarding IT systems and data access. Policies addressing password management, incident response, and mobile security.

Encryption: Protecting Data at Rest and in Transit

In today’s digital landscape, data security is of paramount importance. SYSPRO adopts security best practices for on-premise and cloud platforms, ensuring appropriate protection and encryption is in place. Using Azure’s Microsoft cloud computing platform, robust encryption options are provided to safeguard data at rest and in transit. Azure’s encryption capabilities span various services including disks, storage accounts and SQL databases.
Learn more

Data Retention

SYSPRO retains data for a specific period of time to meet regulatory, business, and technical requirements. Data retention and disposal are shared responsibilities between SYSPRO and the entity that owns the data. Our Service Level Agreements include clauses for data retention and safe disposal of data in the cloud. 

When SYSPRO retains data, we ensure that information is kept safe and available for its intended use while adhering to privacy and data protection laws.

Business Continuity

Our Business Continuity framework ensures that SYSPRO can withstand disruptions, protect its information, and maintain essential services in the event of unplanned disruptions such as a cyber attack, civil unrest, system outage, or natural disaster.

We have established protocols, roles and responsibilities in place to minimize the impact of unplanned disruptions and continue with operations as effectively as possible. Recovery processes and procedures are implemented to recover and restore operations. 

Business continuity is a primary pillar and vital aspect of overall risk management and resilience.

Information Security Management System

“SYSPRO is ISO/IEC 27001:2022 certified, which means we have implemented a comprehensive, internationally recognized Information Security Management System (ISMS). This certification covers a broad range of security controls and demonstrates our commitment to protecting client data.

While we are not currently SOC 2 audited, our ISO 27001 certification aligns closely with the Trust Services Criteria used in SOC 2. Many of the controls required for SOC 2 are already in place and regularly audited under ISO 27001.

SOC (Service Organization Control) refers to a suite of audit reports developed by the American Institute of Certified Public Accountants (AICPA). These reports are designed to help service organizations demonstrate the effectiveness of their internal controls, particularly those related to data security, privacy, and financial reporting

SOC 1 reports are specifically designed for service organizations whose systems impact their clients’ financial reporting—for example, payroll processors or financial transaction services.

SYSPRO’s services do not fall into that category, so SOC 1 is not applicable to our operations. Instead, we focus on internationally recognized standards like ISO/IEC 27001:2022, which provides a comprehensive framework for managing information security across our organization.

Frequently Asked Questions

SOC1 vs. SOC2: What’s the Difference?

Both SOC1 and SOC2 are part of the American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC) reporting framework. The key differences between them lie in their focus and scope:

SOC1 SOC2
Focus & Scope Controls over financial reporting Controls based on security, availability, processing, integrity, confidentiality and privacy
Applicable Organisations Organizations that typically require a SOC 1 report are those providing services that could impact their clients’ financial statements. Such as payroll processors, loan servicers et. Organizations that are typically applicable for a SOC 2 report are those that handle sensitive data and are subject to compliance requirements by their customers and regulator. Such as Cloud service providers, SAAS providers.

ISO27001 2022 and SOC 2

ISO 27001 is a global, strategic framework for managing information security.

SOC 2 is a U.S.-centric, operational audit focused on how data is handled and protected.

What is the main difference between ISO 27001 and SOC 2?

ISO 27001 is a certifiable international standard for establishing an Information Security Management System (ISMS).

SOC 2 is an attestation report based on the Trust Services Criteria, primarily used in the U.S.

Do they cover the same security controls?

ISO 27001 is risk-based and broader in scope.

SOC 2 focuses on specific criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

How long are the certifications valid?

ISO 27001: 3-year certification with annual surveillance audits.

SOC 2: Valid for 12 months (Type II), then must be renewed.

Do both require risk assessments?

ISO 27001: Yes, risk assessment is mandatory and central to the ISMS.

SOC 2: Risk assessment is recommended but not always explicitly required.