How often do you think about cybersecurity when designing a printed circuit board? Probably not very often, but with security breaches becoming more commonplace and the cloud being more widely adopted to manage design data and facilitate collaboration, cybersecurity is becoming an important topic for many PCB design professionals. The question becomes, does your tool vendor have the independent certifications in place confirming their commitment to information security and will their processes and controls safeguard your design IP?
What is ISO 27001?
Most of us have heard of ISO – or the International Organization for Standardization. ISO has developed over 24,000 International Standards that range from cybersecurity to safety to sustainability.
ISO 27001 is one of those standards. It provides the requirements for an information security management system (ISMS). Using an ISMS helps organizations manage the security of assets like intellectual property, financial information, or employee details.
To achieve ISO 27001 compliance, a risk assessment must be conducted by a recognized ISO 27001-accredited certification body. Security controls are then identified and implemented and regularly reviewed for effectiveness.
ISO 27001 compliance is a way to demonstrate that a PCB design tool provider has invested in the processes, technology, and resource expertise needed to protect your organization’s IP.
What is SOC 2?
SOC is a set of standards for different kinds of service organizations, including cloud software providers, that demonstrate their security and customer privacy considerations. The SOC process involves using an approved auditor to create a report.
SOC auditors are regulated by the American Institute of Certified Public Accountants (AICPA) and they are required to follow strict rules and audit procedures. AICPA members are also required to undergo a peer review to ensure the audits they’ve conducted are in accordance with the approved auditing standards.
The SOC 2 report provides information about the security controls in place at an organization regarding the management of customer data. The audit process includes five categories of Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.
There are two types of SOC 2 reports: Type 1 and Type 2. Type 1 examines an organization’s systems at a point in time and whether they fulfill the required Trust Services Criteria. Type 2 examines the operational efficiency of those systems over a period of time, typically 6-12 months.
Why should PCB designers care about ISO 27001 and SOC 2 compliance?
Product development teams are continuously challenged to deliver next-generation products on time, on requirements, and on budget. The tools they use are central to this task. Increasingly, the cloud is enabling new ways of efficiently managing, sharing, and visualizing design IP, all of which are key to effective collaboration and team alignment. But no matter your design process or where you store your design data, there is always a constant threat from cybercriminals. High-profile data breaches and other vulnerabilities (eg. SolarWinds breach and Log4j) have become all too common in today’s connected world.
Fear not, both ISO 27001 and SOC 2 compliance indicates that a software provider has gone through a rigorous and well-managed process to develop secure cloud applications that will protect their customers’ intellectual property.
If you are a PCB designer who utilizes software connected to the cloud, we urge you to ask your provider about ISO 27001 and SOC 2 compliance. By ensuring that your provider is compliant with these standards, you can help protect your business from cybersecurity threats.
To view our certificates and more details about our own compliance visit our Siemens Quality Vision website and scroll down to the “Information Security and Secure Development” section. Here you will see the link to our ISO 27001 certificates. Moreover, you will also see our certificates pertaining to ISO 27017 (cloud security) and ISO 27018 (data privacy). For SOC 2 compliance reports, this information is provided under NDA on a request by request basis. If you are interested in this information please contact us.