Besedo’s Information Security Management System is planned, designed, maintained, and improved based on the ISO/IEC 27001: 2022 international standard, already certified.
Here, you will find an overview of our commitment to security, our several security levels and scopes in place, designed specifically to cope with our employees and business needs, and externally to guarantee an safe environment for our clients.
Organizational Controls
Process: Security Roles
ISO/IEC 27002:2022 Controls: 5.2, 5.3, 5.4
Description: Our Cybersecurity team is led by the Global Head of Infosec. The Global Head of Infosec is responsible for the governance and compliance of all security processes across Besedo Global offices. This Global Head of Infosec handles our regular audits, answers client questions and requirements, conducts security risk assessments, maintains and improves the ISMS, and coordinates all Besedo areas to align with best security practices (business operation, tech leaders, Sales, HR, Legal, and C-Level). Their Cybersecurity team is responsible for technical implementations and monitoring security controls.
Process: InfoSec Documentation
ISO/IEC 27002:2022 Controls: 5.1, 5.8, 5.37
Description: As part of developing our Information Security Management System (ISMS), we have fully documented all processes, policies, manuals, records, and formats related to information security. These documents are version-controlled and tagged for easy reference. Additionally, Besedo maintains an ISMS repository, accessible to department leaders. The documents are created by the Global Head of Information Security and reviewed by department leaders to ensure the documents align with other processes at Besedo. Our Information Security and Privacy Policy is our primary formal document, outlining the security protocols that all Besedo employees must follow.
Process: Threat Intelligence
ISO/IEC 27002:2022 Controls: 5.5, 5.6, 5.7
Description: The Global Head of Infosec continuously researches new threats or zero-day vulnerabilities that emerge daily. For this reason, it is essential to register with various information sources that will notify alerts to be considered in Besedo’s environment. Internally, these alerts are communicated to relevant stakeholders to take preventive and corrective actions to avoid any impact on critical business systems. Additionally, to comply with ISO/IEC 27001:2022, an annual risk assessment is conducted to identify and document critical and high risks. The necessary security controls are then implemented or enhanced to mitigate these risks, ensuring robust protection against persistent threats.
Process: Acceptable use of Assets
ISO/IEC 27002:2022 Controls: 5.9, 5.10, 5.11
Description: Our Infosec and Privacy Policy includes a section detailing the proper methods to protect Besedo assets. This encompasses several aspects, from the equipment and peripherals delivered to each employee, to network connections and systems within our data centers. We outline good security practices to minimize the consequences of a security incident. These practices are communicated to all employees in a training session as part of their onboarding process. Additionally, all information assets are inventoried and shared with all department leaders, updated annually, allowing us to know which resources are most critical and require robust security measures.
User equipment is provided by our ICT department, and when an employee leaves the company all equipments are returned. ICT inspects the equipment and wipes its disk for reuse by another user. Obsolete or out-of-production servers are reused for lab work by the ICT or Infosec departments or donated to educational institutions after data wiping.
Process: Acceptable Use of Data
ISO/IEC 27002:2022 Controls: 5.12, 5.13, 5.14
Description: The company’s information is managed, stored, and shared through our enterprise account on Microsoft 365 services. Each document is accurately classified as public, private, or confidential. Microsoft 365 is configured to ensure that files stored there are not shared with external accounts outside the Besedo domain. Additionally, as part of Data Loss Prevention, there is continuous monitoring to alert if confidential company information is shared with external email accounts.
Process: Access Management
ISO/IEC 27002:2022 Controls: 5.15, 5.16, 5.17, 5.18
Description: As part of the employee onboarding process, all staff members are given a domain account that they can use to access internal company resources, such as email and VPN. Moreover, for Microsoft 365 services, all users have two-factor authentication. The ICT team manages these credentials, and when an employee leaves the company, Human Resources sends a request to disable their domain account, immediately blocking access. The password creation policy for all Besedo users includes:
- Minimum length of 10 characters.
- Combination of uppercase and lowercase letters.
- Numbers and special characters.
If an account is compromised, the ICT team blocks it while the Infosec team investigates, and once the risk is resolved, the user’s password is manually changed.
Access to critical company systems follows the principle of least privilege, meaning users only access what they need, with the rights they need, and for the necessary time. This is controlled by the system owner.
Process: Vendor Management
ISO/IEC 27002:2022 Controls: 5.19, 5.20, 5.22, 5.23
Description: Our suppliers are inventoried, and each undergoes a risk assessment, identifying the scope, frequency, and actions of their services for Besedo, along with the controls to minimize potential risks. This process is conducted jointly by the Human Resources and Infosec teams. For Cloud services, a Shared Responsibility Model is established between the parties, defining the responsibilities of both sides. In Besedo’s case, our Cloud services provide infrastructure, but data, processing, access control, and networking are managed by the technical leaders of each department.
Process: Event and Incident Management
ISO/IEC 27002:2022 Controls: 5.24, 5.25, 5.26, 5.27, 5.28, 5.29
Description: Employees report security events or incidents via email to the Security team. The Infosec team investigates and takes preventive and/or corrective measures. In the event of a security incident with real impact, the system is isolated, and a report is prepared, documenting the incident’s lifecycle, detection, actions taken, evidence, root cause, improvement measures to minimize future risks, responsibilities, and lessons learned. This is presented to the company’s board of directors as a key component of the company’s cybersecurity strategy.
Process: Business Continuity
ISO/IEC 27002:2022 Controls: 5.30
Description: Each technical area has its own business continuity system. Simulations of potential business disruption scenarios are conducted, involving all stakeholders to identify the appropriate crisis response. A Business Impact Analysis is performed, and a documented procedure for actions during an incident is available. Physical systems have high availability, and our Cloud infrastructure features multiple availability zones, so if one zone is affected, the others automatically take over, making the transition seamless for users and/or customers.
Process: GDPR and legal
ISO/IEC 27002:2022 Controls: 5.31, 5.32, 5.33, 5.34, 5.35, 5.36
Description: Besedo is committed to GDPR compliance for both employees and clients. Essential documents such as the Privacy Policy, Data Processing Agreements for client contracts, security measures based on ISO/IEC 27001:2022 (already certified), Records of Processing Activities, and Data Privacy Impact Assessment are in place. The Global Head of Infosec also serves as the Data Protection Officer, acting as a liaison between stakeholders and our internal and external legal teams.
Human Controls
Process: Security Human Processes
ISO/IEC 27002:2022 Controls: 6.1, 6.2, 6.4, 6.5, 6.6, 6.7
Description: A background check is performed for each new employee. The standard contract includes a confidentiality agreement, and software developers receive an addendum regarding intellectual property. Additionally, agreements on remote work and the Infosec Agreement, which outlines prohibited actions within Besedo, are provided. A disciplinary process managed by Human Resources is also in place, triggered by inappropriate business or security behavior.
Process: Awareness and Training
ISO/IEC 27002:2022 Controls: 6.3
Description: As part of a new employee’s onboarding, the Infosec course is mandatory. Each employee must take the course, which covers security best practices, the Infosec and Privacy Policy, the Infosec Agreement, how to report a security event, and contacts for the Infosec and ICT teams for support. The course includes intermediate tests and a final exam to ensure comprehension. Upon passing the final exam, the employee receives a completion certificate. Additionally, Besedo has the Infosec and Privacy Academy, where a new security best practice, recommendation, or alert on new attack methods is shared monthly through internal channels.
Process: Event Reporting
ISO/IEC 27002:2022 Controls: 6.8
Description: Besedo has formal channels for employees to report security events. The Infosec team receives these notifications, prioritizes them, and proceeds with analysis, actions, and response. These channels are communicated during the Infosec course and monthly infographics.
Physical Controls
Process: Physical security
ISO/IEC 27002:2022 Controls: 7.1, 7.2, 7.3, 7.6
Description: Besedo local centers have physical access control systems, either biometric or card-based. These cards are configured to allow employees, depending on their administrative level, access to certain enclosed areas but not others. Visitors and suppliers must register at the office entrance and be accompanied by company personnel throughout their stay.
Process: Physical Monitoring
ISO/IEC 27002:2022 Controls: 7.4
Description: Besedo offices are monitored by security cameras, with video records stored for no longer than one month.
Process: Environmental Threats
ISO/IEC 27002:2022 Controls: 7.5
Description: Fire extinguishers, alarms, and smoke detectors are strategically placed throughout the office facilities. Annual training is provided for the risk prevention team, responsible for coordinating actions in the event of physical incidents, such as fires, electrical damage, earthquakes, or other adverse events where employees’ lives or information systems are at risk. All security measures are reviewed annually to ensure proper functionality in the event of an unexpected incident.
Process: Clear desk and clear screen
ISO/IEC 27002:2022 Controls: 7.7
Description: For security reasons, workstations must be free of items that could damage user devices provided by the ICT team, such as food or drinks, or anything else that could hinder business operations or cause accidents. Personal or confidential information cannot be stored locally on devices; all information must be stored in the cloud using Microsoft SharePoint or corporate OneDrive resources. Workstations are set to automatically suspend after two minutes of inactivity. Employees are also trained to manually lock their devices when leaving their desks.
Process: Physical security for assets
ISO/IEC 27002:2022 Controls: 7.8, 7.9, 7.10
Description: Besedo offices offer spaces where accident risks are minimized, and critical technological systems are housed in data centers with restricted access. Only the ICT team and technology providers accompanied by them can access these centers. The cabling for these data centers, workstations, and meeting rooms is properly organized and protected. Additionally, the electrical and cooling systems are correctly implemented by external specialists who conduct annual evaluations and maintenance to ensure proper functionality.
Process: Equipment maintenance
ISO/IEC 27002:2022 Controls: 7.11, 7.12, 7.13, 7.14
Description: User equipment is maintained on-demand based on damage or improvements required by the user. Server maintenance is carried out through required operating system updates, and physical maintenance is performed in the data center with specialized cleaning for this type of equipment. Support systems such as electrical circuits, air conditioning, environmental threat protection equipment, and UPS receive annual maintenance. The maintenance dates, responsible company, actions taken, and detected recommendations are recorded. The recommendations are validated in internal committees and considered with the primary objective of protecting our information assets as best as possible.
Technological Controls
Process: Endpoint security
ISO/IEC 27002:2022 Controls: 8.1, 8.2, 8.7, 8.12, 8.18, 8.19
Description: User devices have hard drive protection with Bitlocker for Windows systems and locks for MacBooks. Access is restricted to the user’s domain account, to which the equipment was delivered. All devices have regularly updated antivirus software, and periodic scans are conducted. If malware is detected, corrective actions are taken automatically by the system, and the Infosec team is alerted for preventive measures. Users do not have administrator access to these systems; the CMD and PowerShell are disabled, no additional software can be installed beyond what is pre-established by the business, USB ports are disabled, and Bluetooth connections are also restricted. All these user device control policies are centrally managed by our ICT team through Intune.
Process: Email and Storage Security
ISO/IEC 27002:2022 Controls: 8.3, 8.5
Description: Our agents cannot send or receive emails from external accounts. All company information exchange is conducted through company domain accounts. For administrative staff, there is an alert notification when receiving messages from external accounts. Microsoft has built-in thresholds based on updated behavior research to automatically block spam and phishing emails. Additionally, in Microsoft Teams, chat is only allowed with accounts from the same domain, and the same applies to file sharing on SharePoint and OneDrive.
Process: Secure Software Development Lifecycle
ISO/IEC 27002:2022 Controls: 8.4, 8.25, 8.26, 8.27, 8.28, 8.29, 8.31, 8.33
Description: We have two Software Development teams organized based on the services they provide and develop: internal tools and our product called Implio. For the development of internal tools, we have implemented the SSDLC (Secure Software Development Life Cycle), where all the requirements to be considered throughout its lifecycle are described, validated, tested, and deployed:
- List of functional and security requirements.
- Risk Analysis.
- OWASP Top 10 validation.
- Vulnerability scanning using SAST and DAST.
- Remediation actions taken and re-scan.
- Once the software is free of critical, high, or medium vulnerabilities, it goes for testing.
- Functional testing.
- User acceptance.
Implio is on the way to implementing SSDLC soon with formal documentation. At the moment, it is under continuous monitoring for vulnerabilities or malware in its cloud infrastructure and is protected with all necessary security layers.
Process: Performance monitoring
ISO/IEC 27002:2022 Controls: 8.6
Description: Each technology infrastructure that Besedo has is monitored 24/7, alerting service owners immediately of performance issues related to their equipment and critical platforms that support the business. Disk space, RAM, CPU, network issues, downtime, etc., are monitored. Upon receiving an alert, service owners can visualize the problem and immediately proceed to take corrective and preventive actions. Monitoring is done both for physical systems and cloud infrastructure.
Process: Vulnerability Management
ISO/IEC 27002:2022 Controls: 8.8, 8.9, 8.34
Description: Two types of scans are performed: the first is an internal vulnerability scan conducted by the Infosec team on the infrastructure that is not publicly accessible, both physical and cloud-based (network equipment, servers, instances). This scan is conducted every quarter, and a report is delivered to the service owners, describing the vulnerabilities and recommending actions to mitigate them.
The second vulnerability management process is penetration testing (Pentesting), conducted annually on Besedo’s public services: the main website and Implio. This is performed by an external provider who delivers a report with the findings, including evidence of each step of the attack tests and success cases. Recommendations for the necessary measures are provided, and the Infosec team communicates internally with the teams of both services and ensures that the measures are implemented according to the estimated timelines, depending on the criticality of the security risk.
Process: Backup Management
ISO/IEC 27002:2022 Controls: 8.13, 8.14
Description: Besedo’s technology infrastructure includes a backup management system for its critical services, such as servers, databases, and configuration files. Each of the strategic points where services are deployed has specialized platforms to schedule, take, and restore backups regularly (configuration files are backed up weekly, and server and database backups are performed daily). Additionally, annual backup restoration exercises are conducted to verify that both physical and cloud systems are effectively taking backups in case a real incident requires restoring some of our critical systems.
Process: Log Management
ISO/IEC 27002:2022 Controls: 8.15, 8.16, 8.17
Description: Each technical department has its own log visualization and deployment system. As an improvement to our ISMS, we are implementing a system where all logs will be processed centrally and monitored by the Infosec team.
Process: Network Security
ISO/IEC 27002:2022 Controls: 8.20, 8.21, 8.22, 8.23
Description: As a basic security layer, onsite systems are protected by firewalls with network segmentation for users and DMZs. These firewalls are managed by the ICT department and configured with access restrictions to high-risk websites (WebFiltering) and logical ports for both inbound and outbound traffic. Additionally, functionalities such as Intrusion Prevention System (IPS), AppControl, and HTTPS Inspection are enabled in the same firewall. It also supports the configuration and deployment of both Site-to-Site VPN and client VPN for our employees, authorized clients, and suppliers.
Process: Encryption and Cryptography
ISO/IEC 27002:2022 Controls: 8.24
Description: For data at rest and data in transit, secure protocols and industry-recommended algorithms are configured. These are applied for web communication, site-to-site and client VPN communication, email, and to protect backups of our databases. Our certificate for our official pages and services is also configured with encrypted keys directly from AWS.
Process: Change Management and Cryptography
ISO/IEC 27002:2022 Controls: 8.32
Description: There is an internal Change Management procedure, which explains the criteria for conducting a committee change analysis. This procedure specifically mentions that if changes are made to critical business platforms that will cause an impact and generate downtime during a maintenance window, the discussion and decision must involve all CAB members through the internal channels established in the same procedure. After each CAB member’s approval, the change is executed, and the results are communicated.
Last updated: April 14, 2025