an occasional request to conduct penetration testing
no reference to security at all
There is a growing acceptance that vendors’ solutions should be secure. But there is no consensus about how to assess this.
We are ISO 27001 accredited. But you can argue that ISO 27001 isn’t enough. Like all ISO accreditations, it identifies that processes exist. So it does not guarantee that information is secure, just as in the case of 9001 it doesn’t guarantee that products are of high quality.
And of course, it is people, not technology itself, who breach security. For this reason, we have started doing employee screening in line with relevant recommendations including: