It is important for Visma as a service provider to demonstrate to you, our customer, that our products and services are secure and protect your data and privacy, so that you may use them for your business purposes with trust and confidence.
Visma is a large corporation, with numerous products and services in many different markets and countries, and using different technologies. Our customers range from small businesses to large corporations and municipalities, in sectors ranging from plumbing to banking. The product in question can be Software as a Service (SaaS), locally installed at the customer’s premises, a mobile app, or services such as electronic payment and invoicing, government reports and many other things.
In order to provide appropriate security and data protection across this spectrum, we’ve built a comprehensive security programme for our products and services. This programme is called the “Visma Application Security Programme”, abbreviated VASP.
VASP: A custom-made application security program
VASP is a custom-made application security program based on leading industry standards and best practices, and embedded directly into our production systems. It is a tiered and scalable programme, where the requirements that a product has to comply with are tailored to the product in question; its technology, delivery model, market and other factors.
For instance, the requirements for a payroll system in the public cloud are different from an ERP system installed on a single customer’s own hardware, which in turn are different from a mobile app.
The objective of the programme is to ensure that our products are managed, developed and operated throughout its lifecycle in a secure and compliant manner with regards to application security, data protection and privacy, both for Visma as a provider and you as a customer.
VASP protects your security and privacy through organisational and technical measures, designed to protect the confidentiality, integrity, and availability of your data, and the resilience and legal compliance of our products and services. These measures are described in detail in the following chapters.
VCDM: An Information Security Management System for the cloud
For our cloud services, we have developed a full Information Security Management System (ISMS) certified on the ISO 27001- standard. An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
Our ISMS is called “Visma Cloud Delivery Model”. It shares many components with VASP, but has its own governance system and covers more than VASP, which is focused primarily on application security and data protection:
VCDM is designed specifically for cloud delivery of software products, and therefore includes things like change management, problem management and release management. It also has additional controls, such for access management and security.
The VCDM framework describes our approach to developing, delivering and operating cloud services. It describes aspects of how we should be organized, how we should work (processes) as well as technical requirements and best practices necessary for successful cloud service delivery.
The model is based on a set of core principles and focuses on DevOps and Continuous Delivery. VCDM has the following audit assurance report and certifications:
- ISAE 3402 Type I (type II for 2022 - available in 2023)
- ISO 27001
- ISO 9001
ISAE 3402 Type I
The scope of an ISAE 3402 report is the organisation's controls over services and functions performed, to evaluate the internal control over financial reporting.
ISAE 3402 Type I is a SOC 1 engagement.
VCDM offers its customers a ISAE 3402 Type I assurance report, prepared by an external audit firm and documented in accordance with the International Standard on Assurance Engagement 3402 Type 1.
To request a copy of the ISAE report, contact your local Sales Contact in Visma, who will verify that your product is covered in the report.
This report is intended solely for the information and use of management of the Service Organisation, current and prospective user entities of the VCDM and services as of October 15th, 2021, and their auditors who audit and report on such user entities’ financial statements or internal controls implemented by user entities themselves, when assessing the risks of material misstatement of user entities’ financial statements. This report is not intended to be and should not be used by anyone other than these specified parties.
ISO 27001 contains requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).
ISO 9001 standard is based on a number of quality management principles including a strong customer focus, the motivation and implication of top management, the process approach and continual improvement. ISO 9001 sets out the criteria for a quality management system (QMS).
A number of companies are covered by our ISO 9001 certification. If you have any questions about this, please contact your local Sales Contact.
Bringing it all together
This means that we have a two- tiered system, into which products are organised to a large extent based on technology:
Most legacy or on- premises systems, which are installed on the customer’s machines, are following the Visma Application Security Programme, but our cloud services, where Visma is also responsible for the provisioning of the service in a cloud environment, are also following the Visma Cloud Delivery Model, with its additional and specialised requirements.
This document describes these two systems in great detail.
Please note however, that this document provides a summary of complex internal systems intended for public distribution. Its purpose is not to document every aspect of these systems, but to provide appropriate information for customers and prospective customers about how Visma works with application security and privacy compliance.
This means that certain parts of VASP and VCDM are purposefully omitted or only included by reference. For example, roles mentioned in this document, such as the Security Engineer and Data Protection Manager, have role descriptions in our Quality Management System that details their responsibilities, qualifications and authority. Similarly, most things pertaining to governance are not explicitly detailed here, such as onboarding processes to the programmes, various group policies and change management of the programmes. Similarly, references to Visma’s internal organisation is omitted, because the programmes are designed not to be affected by any internal re-organisation of Visma, in order to ensure the system’s resilience.
You can also download this information in pdf format for your convenience and documentation. This may be a good idea to do at the time of purchase, as the document describes the programme at that particular point in time. The document will always have a version number and date.