View this document as a PDF

It is important for Visma as a service provider to demonstrate to you, our customer, that our products and services are secure and protect your data and privacy, so that you may use them for your business purposes with trust and confidence.

Visma is a large corporation, with numerous products and services in many different markets and countries, and using different technologies. Our customers range from small businesses to large corporations and municipalities, in sectors ranging from plumbing to banking. The product in question can be Software as a Service (SaaS), locally installed at the customer’s premises, a mobile app, or services such as electronic payment and invoicing, government reports and many other things.

In order to provide appropriate security and data protection across this spectrum, we’ve built a comprehensive security programme for our products and services. This programme is called the “Visma Application Security Programme”, abbreviated VASP.


VASP: A custom-made application security program

VASP is a custom-made application security program based on leading industry standards and best practices, and embedded directly into our production systems. It is a tiered and scalable programme, where the requirements that a product has to comply with are tailored to the product in question; its technology, delivery model, market and other factors.

For instance, the requirements for a payroll system in the public cloud are different from an ERP system installed on a single customer’s own hardware, which in turn are different from a mobile app.

The objective of the programme is to ensure that our products are managed, developed and operated throughout its lifecycle in a secure and compliant manner with regards to application security, data protection and privacy, both for Visma as a provider and you as a customer.

VASP protects your security and privacy through organisational and technical measures, designed to protect the confidentiality, integrity, and availability of your data, and the resilience and legal compliance of our products and services. These measures are described in detail in the following chapters.


VCDM: An Information Security Management System for the cloud

For our cloud services, we have developed a full Information Security Management System (ISMS) certified on the ISO 27001- standard. An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

Our ISMS is called “Visma Cloud Delivery Model”. It shares many components with VASP, but has its own governance system and covers more than VASP, which is focused primarily on application security and data protection:

VCDM is designed specifically for cloud delivery of software products, and therefore includes things like change management, problem management and release management. It also has additional controls, such for access management and security.

The VCDM framework describes our approach to developing, delivering and operating cloud services. It describes aspects of how we should be organized, how we should work (processes) as well as technical requirements and best practices necessary for successful cloud service delivery.

The model is based on a set of core principles and focuses on DevOps and Continuous Delivery. VCDM is certified for ISO9001 and ISO27001.


Bringing it all together

This means that we have a two- tiered system, into which products are organised to a large extent based on technology:

Most legacy or on- premises systems, which are installed on the customer’s machines, are following the Visma Application Security Programme, but our cloud services, where Visma is also responsible for the provisioning of the service in a cloud environment, are also following the Visma Cloud Delivery Model, with its additional and specialised requirements.

This document describes these two systems in great detail.

Please note however, that this document provides a summary of complex internal systems intended for public distribution. Its purpose is not to document every aspect of these systems, but to provide appropriate information for customers and prospective customers about how Visma works with application security and privacy compliance.

This means that certain parts of VASP and VCDM are purposefully omitted or only included by reference. For example, roles mentioned in this document, such as the Security Engineer and Data Protection Manager, have role descriptions in our Quality Management System that details their responsibilities, qualifications and authority. Similarly, most things pertaining to governance are not explicitly detailed here, such as onboarding processes to the programmes, various group policies and change management of the programmes. Similarly, references to Visma’s internal organisation is omitted, because the programmes are designed not to be affected by any internal re-organisation of Visma, in order to ensure the system’s resilience.

You can also download this information in pdf format for your convenience and documentation. This may be a good idea to do at the time of purchase, as the document describes the programme at that particular point in time. The document will always have a version number and date.