Thinkproject SaaS solutions pass SOC 2 audit for secure cloud computing

Report this content

CONCLUDE CDE and EPLASS CDE meet SOC 2 and C5 security requirements

Munich, 26 February 2024 – Thinkproject, the leading European SaaS provider of solutions for the construction industry, has received an official SOC 2 attestation for its SaaS solutions CONCLUDE CDE and EPLASS CDE. The U.S. SOC 2 security standard (System and Organization Controls 2), which has been defined by the American Institute of Certified Public Accountants (AICPA), is primarily aimed at security in cloud computing, unlike standards such as ISO/IEC 27001. The standard also aims to create maximum information security for cloud services – for operators and customers alike.

 

The audit for Thinkproject's SOC 2 attestation was carried out by HKKG Wirtschaftsprüfungsgesellschaft, headquartered in Cologne. The SOC 2 test was derived from the C5 test by comparing the requirements. Thus, Thinkproject has received an attestation according to the German C5 criteria and the SOC 2 requirements at the same time. C5:2020 (Cloud Computing Compliance Controls Catalogue) is a catalogue of criteria used by the German Federal Office for Information Security (BSI) to define the requirements for secure and compliance-compliant cloud computing. If, for example, German (federal) authorities and financial institutions use cloud offerings, there is even a legal obligation to insist on compliance with the C5 criteria when awarding contracts. C5 has similar relevance for operators of critical infrastructure (KRITIS) according to the German BSI law.

 

The SOC 2 and C5 criteria catalogues

The SOC 2 and C5 attestations prove that Thinkproject's SaaS-based Common Data Environments (CDE) – CONCLUDE CDE and EPLASS CDE – have the highest level of security for cloud solutions. SOC 2 is originally a U.S. standard according to which service organisations generate reports on the status of defined internal control parameters. These parameters include the security and availability of the data, the integrity of the data processing, confidentiality, and data protection aspects.

The American Institute of Certified Public Accountants has defined this security standard in accordance with the AICPA Trust Services Principles and Criteria. Closely related to the criteria of SOC 2 is the specifically German criteria catalogue C5 of the German Federal Office for Information Security (BSI). An attestation according to the BSI's C5 criteria catalogue can also be regarded as an indicator that a provider of cloud services protects its infrastructure as strongly as possible against cyberattacks. The BSI's C5 catalogue comprises 17 categories (domains), which consist of basic criteria, additional criteria and supplementary information.

In total, the C5 catalogue defines 127 requirements (controls) across the entire company, its processes and its personnel. For example, C5 deals with requirements relating to personnel deployed, physical security compliance, identity and rights management, communication security, cryptographic measures and key management, as well as the handling of security incidents.

 

IT security is indispensable for SaaS solutions

"In Germany, C5 conformity is often a mandatory, legally required criterion for public sector tenders," explains Dr. Ralf Hundhammer, CTO of Thinkproject. "This catalogue of requirements from the BSI has similar relevance for operators of critical infrastructure and for financial institutions. One could say that the C5 attestation of subcontractors such as Thinkproject is indispensable for operators of KRITIS to ensure verified, highest possible information security. But the triumph of cloud computing continues throughout the economy, worldwide,” says Thinkproject CTO Ralf Hundhammer.

“Whether SOC 2 or C5 – more and more companies are paying close attention to the fact that a provider meets the relevant security standards when choosing a cloud or SaaS provider, if only out of well-understood self-interest. In this context, the great advantage of criteria catalogues such as SOC 2 and C5 is that they specifically address security in cloud computing. In the cloud sector, they have much more granular requirements than ISO 27001, for example. With the successful SOC 2 and C5 audit, we can now document that we meet all security requirements at Thinkproject: from general certification according to ISO 27001 to cloud-specific attestations. For us and for our customers, cybersecurity is rightly a topic of central importance," he adds, "because digitalization and information security must go hand in hand."

 

__________________________________________________________________________________

About Thinkproject

By combining information management expertise and in-depth knowledge of the building, infrastructure, and energy industries, Thinkproject empowers customers to efficiently deliver, operate, regenerate, and dispose of their built assets across their entire lifecycle through a Connected Data Ecosystem. With 650+ employees, Thinkproject offers digital solutions in 60 countries worldwide that cover the entire lifecycle of a construction project. Thinkproject supports more than 750,000 users in 75,000 projects at more than 3,250 customers.

For more information, please visit www.thinkproject.com

Press contact: Julia Schreiber, Möller Horcher Kommunikation GmbH, julia.schreiber@moeller-horcher.de, +49 3731 2070915