Resilience
ISO-27001 ISO-22301 ISO-27701 SOC2
References in this section refer to attestations and reports which can be provide by on request - tmo@mimecast.com
Incident Management
ISO-27001
Information security risk treatment (section 6 controls)
Information security awareness, education and training (section 7 controls)
Management of information security incidents and improvements (section 16 controls)
ISO-27701
Information security risk treatment (section 5 controls)
Information security awareness, education and training (section 6 controls)
Learning from information security incidents (section 6 controls)
Privacy by design and privacy by default (section 8 controls)
PII sharing, transfer, and disclosure (section 8 controls)
ISO-22301
Business continuity plans and procedures (section 8 controls)
Exercise programme (section 8 controls)
SOC2 (Trust Principle section)
Overview of operations
Information security risk treatment (section 6 controls)
Information security awareness, education and training (section 7 controls)
Management of information security incidents and improvements (section 16 controls)
ISO-27701
Information security risk treatment (section 5 controls)
Information security awareness, education and training (section 6 controls)
Learning from information security incidents (section 6 controls)
Privacy by design and privacy by default (section 8 controls)
PII sharing, transfer, and disclosure (section 8 controls)
ISO-22301
Business continuity plans and procedures (section 8 controls)
Exercise programme (section 8 controls)
SOC2 (Trust Principle section)
Overview of operations
Alternate Storage
ISO-27001
Availability of information processing facilities (section 17 controls)
SOC2 (Trust Principle section)
Overview of operations
Availability of information processing facilities (section 17 controls)
SOC2 (Trust Principle section)
Overview of operations
Backup and Continuity
ISO-27001
Information backup (section 12 controls)
ISO-27701
Information backup (section 6 controls)
SOC2 (Trust Principle section)
Overview of operations
Principle service commitments
Security category
Information backup (section 12 controls)
ISO-27701
Information backup (section 6 controls)
SOC2 (Trust Principle section)
Overview of operations
Principle service commitments
Security category
Planning, Policy and Procedures
ISO-27001
Organisational roles, responsibilities and authorities (section 5 controls)
Information security objectives and plans to achieve them (section 6 controls)
Awareness (section 7 controls)
Operational planning and control (section 8 controls)
Information security risk treatment (section 8 controls)
Mobile devices and teleworking (section 6 controls)
Termination and change of employment (section 7 controls)
Responsibility for assets (section 8 controls)
Capacity management (section 12 controls)
Verify, review and evaluate information security continuity (section 17 controls)
Availability of information processing facilities (section 17 controls)
ISO-27701
Organisation of information security (section 6 controls)
Operational procedures and responsibilities (section 6 controls)
Information security continuity (section 6 controls)
Obligations to PII principals (section 7 controls)
General (section 8 controls)
Obligations to PII principals (section 8 controls)
Temporary files (section 8 controls)
ISO-22301
Roles, responsibilities and authorities (section 5 controls)
Planning changes to the business continuity management system (section 6 controls)
Awareness (section 7 controls)
Operational planning and control (section 8 controls)
Business continuity strategies and solutions (section 8 controls)
Business continuity plans and procedures (section 8 controls)
Exercise programme (section 8 controls)
SOC2 (Trust Principle section)
Security category
Organisational roles, responsibilities and authorities (section 5 controls)
Information security objectives and plans to achieve them (section 6 controls)
Awareness (section 7 controls)
Operational planning and control (section 8 controls)
Information security risk treatment (section 8 controls)
Mobile devices and teleworking (section 6 controls)
Termination and change of employment (section 7 controls)
Responsibility for assets (section 8 controls)
Capacity management (section 12 controls)
Verify, review and evaluate information security continuity (section 17 controls)
Availability of information processing facilities (section 17 controls)
ISO-27701
Organisation of information security (section 6 controls)
Operational procedures and responsibilities (section 6 controls)
Information security continuity (section 6 controls)
Obligations to PII principals (section 7 controls)
General (section 8 controls)
Obligations to PII principals (section 8 controls)
Temporary files (section 8 controls)
ISO-22301
Roles, responsibilities and authorities (section 5 controls)
Planning changes to the business continuity management system (section 6 controls)
Awareness (section 7 controls)
Operational planning and control (section 8 controls)
Business continuity strategies and solutions (section 8 controls)
Business continuity plans and procedures (section 8 controls)
Exercise programme (section 8 controls)
SOC2 (Trust Principle section)
Security category
The Mimecast platform is an active-active multi-tenant SaaS environment and is based on a proprietary geographically dispersed high-availability cluster architecture. This provides multiple copies of Customer Data which is then, itself, replicated between two data centers and 3 separate environments located within the same geography.
Mimecast has created a resilience program with the following attributes:
- Approved by management, communicated to appropriate constituents, and assigned an owner to maintain and periodically review
- Annually reviewed for adequacy of resources (people, technology, facilities, and funding)
- Annually evaluated by a third party for ISO-22301 certification.
Additionally outlining:
- Conditions for activating the plan, and the associated roles and responsibilities
- Maintenance schedule to revise and test the plan, plus awareness and education activities
- Roles and responsibilities for those who invoke and execute the plan
- Alternate and diverse means of communications
- Interaction with the media during an event
- Notification and escalation to clients
- Dependencies upon critical service providers, including:
- Notification and escalation
- Reviews of critical functions, known and emerging threats, organisational structure and personnel changes