We’re excited to announce that SocialOptic has achieved ISO/IEC 27001:2022 and ISO 9001:2015 certifications. These are external seals of approval for our information security and quality managements. ISO 27001 is the global standard for information security, and our certification (to the newest 2022 version of the standard) demonstrates that we have a robust, audited Security Management System in place. ISO 9001 is the international benchmark for Quality Management, ensuring our processes (from development to delivery and support) are well-defined and continuously improved. The certifications demonstrate that our team’s day-to-day practices have been verified by independent experts.
When selecting a survey platform for sensitive research, employee engagement studies, or public consultations, data security and service quality are key requirements. ISO 27001 and ISO 9001 certifications provide independent, third-party verification that SocialOptic has implemented comprehensive information security management systems and quality management processes that meet global best practices.
Security and Quality
At its core, ISO 27001 requires us to identify information security risks (like data breaches and service interruptions) and put in place controls to mitigate them. It also mandates regular internal audits and management reviews, so that the system keeps improving over time. In practice, this means SocialOptic has documented policies and procedures for everything from secure coding and data handling to employee training and incident response. We then audit ourselves, and then have independent auditors check that these controls are in place and effective. ISO 9001 makes sure we run a systematic Quality Management System. It means that we set quality objectives, document our processes (for development, customer service, delivery, and other areas), and continuously measure and improve them. In other words, our software and services are built on a foundation of continual improvement and thorough quality checks. For our customers, that translates into a reliable, consistent service and high quality, tested software.
Our ISO 27001 certification shows that we’ve already transitioned to the ISO/IEC 27001:2022 standard. The old ISO/IEC 27001:2013 was replaced in October 2022, and organisations had until October 31, 2025 to transition. After that date, any 2013-version certificates expire. The change is a significant one, and the 2022 version of the standard brings a much-needed refresh, much has happened in the security world since the original 2013 standard!
Continuous Assurance
In an environment where cyber attacks and data breaches make headlines on a daily basis, these certifications provide the assurance that any data we hold is protected by globally recognised security and quality standards. The standards set a high bar, but certification alone isn’t a complete security guarantee. Standards like ISO 27001 tell us what we need to achieve (strong risk management, policies, etc.) but not exactly how to implement every control. For example, ISO 27001 requires risk assessments and controls, but it doesn’t prescribe specific technical solutions. This gap means that organisations should also actively maintain and test their defences, as the threat landscape evolves faster than any static standard can. We regularly engage independent security specialists to test our systems for weaknesses, and we also run automated security scans and monitoring on a continual basis. Our platform also has a range of additional security features that let you control your security:
- Two-Factor Authentication and Access Controls. SurveyOptic fully supports 2FA, adding an extra layer of security. We also limit system access by role, and with specific permissions, and follow the principle of least privilege. We also mark any personally identifiable data, and sensitive category data, so that only authorised users can access it.
- Transparency via a Trust Centre. We’ve launched a dedicated Trust Centre to enable you to inspect our security posture for yourself, viewing key documents like security policies, audit and test reports, certificates, and details about our data controls. We’re publishing the evidence you need to be able to trust our claims. This automated portal keeps the documents up to date (so you always see the latest version), while still letting us keep the documents secure. Having a live Trust Centre means you can independently verify our compliance at any time.
- Risk Ledger Profile. We also maintain a full profile on Risk Ledger, a vendor risk platform used by a number of government bodies and large organisations. Risk Ledger continuously monitors supplier risk and automatically updates information like certifications and alerts. Risk Ledger provides continuous alerts on new supplier vulnerabilities and remediation, as well as threat intelligence, and helps maintain ISO27001 compliance in real time. We keep our Risk Ledger entry up-to-date, so our public-sector buyers can see our current risk rating, knowing that it is continually evaluated. Risk Ledger also provides an NCSC Cyber Assessment Framework (CAF) supplier security assessment.
- Cyber Essentials Plus and NCSC Monitoring. On top of all this, SocialOptic holds Cyber Essentials Plus certification, the UK government-backed scheme for baseline cyber security hygiene. It involves an external penetration test of our perimeter and a review of our security practices, and is a requirement for many government contracts. Holding Cyber Essentials Plus (in addition to ISO 27001) means that SocialOptic is independently verified for both broad security management and specific technical security measures. Because we serve healthcare, government, and education organisations, we also publish a full NHS Data Security & Protection Toolkit (DSPT) assessment, where we have continuously demonstrated that we exceed all of the UK government’s recommended security standards for health care data handling.
Better Security for SocialOptic and for Our Customers
Obtaining ISO 27001:2022 and ISO 9001:2015 is a significant milestone for SocialOptic, but more importantly it’s a win for our customers. These certifications are external confirmation that we have formal, audited systems for security and quality. Combined with our continuous penetration testing, Cyber Essentials Plus, and new Trust Centre, you can have complete confidence that your surveys and consultations are handled safely and professionally.
We know that healthcare trusts, universities, local authorities and consultation teams demand the highest levels of assurance. Thanks to our ISO certifications they can rely on SurveyOptic to keep meeting those demands. If you ever need evidence of our compliance (for your internal governance or auditors), our Trust Centre and Risk Ledger profile provide all the details on demand.
We are grateful for all of our customers, who trust us with their important data. Our goal has always been to provide the highest levels of security, confidentiality and service quality, and now with these certifications we’re proud to say our customers can demonstrate to their customers and employees that they are taking the best care too.