Contact us

Security and Compliance

SafeWP's Commitment to ISO 27001 Security Excellence

At SafeWP, we understand that your website's security is paramount. That's why we've implemented a comprehensive security framework that not only meets but exceeds the rigorous standards set forth by ISO 27001, the international standard for information security management systems.

ISO 27001 Compliance and Beyond

ISO 27001 provides a systematic approach to managing sensitive company information, ensuring it remains secure through people, processes, and IT systems. SafeWP has adopted this framework as the foundation of our security posture, implementing every required control and going several steps further to protect your valuable digital assets.

How SafeWP Protects Your Website:

  • Multi-layered Security Architecture: We employ defense-in-depth strategies with multiple security layers including firewalls, intrusion detection systems, and advanced monitoring tools.
  • Zero-Trust Network Access: Every connection to your website infrastructure requires authentication and authorization, ensuring no unauthorized access.
  • Real-time Threat Monitoring: Our security operations center continuously monitors for threats, providing immediate response to potential security incidents.
  • Automated Security Updates: Critical security patches are automatically applied to keep your website protected against the latest vulnerabilities.
  • Encrypted Data Transmission: All data in transit is protected using industry-standard encryption protocols, ensuring your content and user data remain confidential.
  • Regular Security Audits: We conduct regular security assessments and penetration testing to identify and address potential vulnerabilities proactively.
  • Incident Response Team: Our dedicated security experts are ready to respond to any security incidents within minutes, minimizing potential impact.

The following table outlines the specific security controls we have implemented in accordance with ISO 27001 standards. Each control has been carefully implemented and is continuously monitored to ensure ongoing compliance and effectiveness.

Control Status

Unique production database authentication enforced

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

Encryption key access restricted

The company restricts privileged access to encryption keys to authorized users with a business need.

Unique account authentication enforced

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

Production application access restricted

System access restricted to authorized access only

Access control procedures established

The company's access control policy documents the requirements for the following access control functions:

  • adding new users;
  • modifying users; and/or
  • removing an existing user's access.

Production database access restricted

The company restricts privileged access to databases to authorized users with a business need.

Firewall access restricted

The company restricts privileged access to the firewall to authorized users with a business need.

Production OS access restricted

The company restricts privileged access to the operating system to authorized users with a business need.

Production network access restricted

The company restricts privileged access to the production network to authorized users with a business need.

Access revoked upon termination

The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

Unique network system authentication enforced

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Remote access MFA enforced

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Remote access encrypted enforced

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Intrusion detection system utilized

The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

Log management utilized

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

Infrastructure performance monitored

An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

Network segmentation implemented

The company's network is segmented to prevent unauthorized access to customer data.

Network firewalls reviewed

The company reviews its firewall rulesets at least annually. Required changes are tracked to completion.

Network firewalls utilized

The company uses firewalls and configures them to prevent unauthorized access.

Network and system hardening standards maintained

The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually.

Service infrastructure maintained

The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

Networks security

Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.

Security of network services

Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

Segregation of networks

Groups of information services, users and information systems shall be segregated in the organization's networks.

Web filtering

Access to external websites shall be managed to reduce exposure to malicious content.

Segregation in networks

Cloud Service Customer:

The cloud service customer should define its requirements for segregating networks to achieve tenant isolation in the shared environment of a cloud service and verify that the cloud service provider meets those requirements.

Cloud Service Provider:

The cloud service provider should enforce segregation of network access for the following cases:

  • segregation between tenants in a multi-tenant environment;
  • segregation between the cloud service provider's internal administration environment and the cloud service customer's cloud computing environment.

Where appropriate, the cloud service provider should help the cloud service customer verify the segregation implemented by the cloud service provider.

Clock synchronization

The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

Secure system architecture and engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.

Segregation in virtual computing environments

A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons.

Capacity management

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Capacity management (Cloud Services)

Cloud Service Customer:

The cloud service customer should ensure that the agreed capacity provided by the cloud service meets the cloud service customer's requirements.

The cloud service customer should monitor the use of cloud services, and forecast their capacity needs, to ensure performance of the cloud services over time.

Cloud Service Provider:

The cloud service provider should monitor the total resource capacity to prevent information security incidents caused by resource shortages.

Encryption of PII transmitted over public data-transmission networks

PII that is transmitted over public data-transmission networks should be encrypted prior to transmission.