Information Security

SKAND is committed to cyber security, and maintaining the security and privacy of our customers’ data. To meet this commitment, we have built a robust framework for managing information security risks, and achieved certification against the ISO 27001 Information Security Standards by an accredited audit body. 

ISO 27001 is the leading international standard for managing information security. In order to gain certification, a company must show it has a precise and continuous approach to managing information security risks that affect the confidentiality, integrity, and availability of the company and customer information. 

ISO 27001 Certification 

ISO certification provides assurance that SKAND maintains the necessary know-how for protecting and safeguarding our customers’ data. Our compliance against the ISO27001 standard is regularly audited by an independent auditing body. By engaging an accredited third party to assess our security policies and procedures, customers and partners can be assured that our system is robust and compliant with the international standard. 

In 2021, SKAND achieved certification against the ISO27001 standard, having completed a multi-stage external audit program conducted by accredited auditors. Our certification covers all Skand's suite of products and services. 

SKAND’s Information Security Management System 

ISO 27001 was developed to help organisations protect their information and data in a systematic way, through the adoption of an Information Security Management System. SKAND has developed and implemented a robust Information Security Management System, including policies and processes built around achieving the following objectives: 

• Confidentiality: only the authorised persons have the right to access information. 

• Integrity: only the authorised persons can change the information. 

• Availability: the information must be accessible to authorised persons whenever it is needed. 

More specifically, our Information Security Management System establishes rules that: 

• Identify stakeholders and their expectations of the company in terms of information security. 

• Identify which risks exist for the information. 

• Define controls/safeguards and other mitigation methods to meet the identified expectations and handle risks. 

• Set clear objectives on what needs to be achieved with information security. 

• Implement all the controls and other risk treatment methods. 

• Continuously measure if the implemented controls perform as expected. 

• Make continuous improvement to make the whole ISMS work better. 

Specific Information Security Protocols 

Our Information Security Management System codifies all aspects of our management approach to information security. Some specific protocols include: 

• Ensuring that all data transport and connectivity with the platform is over a secure channel. Our infrastructure and data storage are located in Australia on AWS servers in Sydney. 

• Ensuring that we prevent any potential vulnerabilities from being exploited. In order to meet this requirement, we undertake periodic multi-day penetration testing. This involves external specialists assuming the role of a hacker, attempting to find weak spots in our system. By deliberately attacking our system, we can assess potential risks and vulnerabilities and improve the robustness of the system against cyberattack. 

The penetration testing specialist found that “the platform has been build using well-established frameworks” and is well protected against attacks targeted to users and/or the backend system. 

While we have established robust policies, processes and minimum requirements, we do not apply a one-size-fits-all approach to information security management. SKAND’s tailored approach allows us to meet the specific needs of customers and partners. We welcome the opportunity to work with all customers to comply with any specific cyber security requirements.