Resilience

    Resilience

    ISO-27001    ISO-22301    ISO-27701    SOC2

    References in this section refer to attestations and reports which can be provide by on request - tmo@mimecast.com

    ISO-27001
    Information security risk treatment (section 6 controls)
    Information security awareness, education and training (section 7 controls)
    Management of information security incidents and improvements (section 16 controls)

    ISO-27701
    Information security risk treatment (section 5 controls)
    Information security awareness, education and training (section 6 controls)
    Learning from information security incidents (section 6 controls)
    Privacy by design and privacy by default (section 8 controls)
    PII sharing, transfer, and disclosure (section 8 controls)

    ISO-22301
    Business continuity plans and procedures (section 8 controls)
    Exercise programme (section 8 controls)

    SOC2 (Trust Principle section)
    Overview of operations
    ISO-27001
    Availability of information processing facilities (section 17 controls)

    SOC2 (Trust Principle section)
    Overview of operations
    ISO-27001
    Information backup (section 12 controls)

    ISO-27701
    Information backup (section 6 controls)

    SOC2 (Trust Principle section)
    Overview of operations
    Principle service commitments
    Security category
    ISO-27001
    Organisational roles, responsibilities and authorities (section 5 controls)
    Information security objectives and plans to achieve them (section 6 controls)
    Awareness (section 7 controls)
    Operational planning and control (section 8 controls)
    Information security risk treatment (section 8 controls)
    Mobile devices and teleworking (section 6 controls)
    Termination and change of employment (section 7 controls)
    Responsibility for assets (section 8 controls)
    Capacity management (section 12 controls)
    Verify, review and evaluate information security continuity (section 17 controls)
    Availability of information processing facilities (section 17 controls)

    ISO-27701
    Organisation of information security (section 6 controls)
    Operational procedures and responsibilities (section 6 controls)
    Information security continuity (section 6 controls)
    Obligations to PII principals (section 7 controls)
    General (section 8 controls)
    Obligations to PII principals (section 8 controls)
    Temporary files (section 8 controls)

    ISO-22301
    Roles, responsibilities and authorities (section 5 controls)
    Planning changes to the business continuity management system (section 6 controls)
    Awareness (section 7 controls)
    Operational planning and control (section 8 controls)
    Business continuity strategies and solutions (section 8 controls)
    Business continuity plans and procedures (section 8 controls)
    Exercise programme (section 8 controls)

    SOC2 (Trust Principle section)
    Security category

    The Mimecast platform is an active-active multi-tenant SaaS environment and is based on a proprietary geographically dispersed high-availability cluster architecture. This provides multiple copies of Customer Data which is then, itself, replicated between two data centers and 3 separate environments located within the same geography.

    Mimecast has created a resilience program with the following attributes:

    • Approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review
    • Annually reviewed for adequacy of resources (people, technology, facilities, and funding)
    • Annually evaluated by a third party for ISO-22301 certification.

    Additionally outlining:

    • Conditions for activating the plan, and the associated roles and responsibilities
    • Maintenance schedule to revise and test the plan, plus awareness and education activities
    • Roles and responsibilities for those who invoke and execute the plan
    • Alternate and diverse means of communications
    • Interaction with the media during an event
    • Notification and escalation to clients
    • Dependencies upon critical service providers, including:
      • Notification and escalation
      • Reviews of critical functions, known and emerging threats, organisational structure and personnel changes
    Back to Top