SonarCloud’s Security Policy questions

We are considering purchasing SonarCloud’s services for our organization but have some questions about the security policy that were not answered on other posts and the security statement. Any information provided would be greatly appreciated for us to move forward:

  1. is your security program being audited by an external 3rd party (ISO 27001, SOC 2 etc.)?
  2. Do you have a formal information classification procedure? If so, how would personal data be categorized?
  3. Do you have formal processes in place for security policy maintenance and deviation?
  4. Do you have a process that addresses the identification and measurement of potential information security risks?
  5. Do you have a process for putting in place mitigating controls (measures taken to reduce risk)?
  6. Do you have a process that addresses the acceptance or transfer (Insurance policies, warranties for example) of the remaining (residual) risk after mitigation steps have been applied?
  7. Does your insurance cover cyber liabilities?
  8. Does your organization have a documented incident response plan?
    During the investigation of a security incident, is evidence properly collected and maintained?

Thank you in advance!

Hey there.

Feel free to get in touch through our contact form if you haven’t already. We do not review security questionnaires in this community.