The basis of the Xero approach is a set of standards developed by the Australian Tax Office (ATO), focused on digital services providers with add-on marketplaces. The standards outline a minimum self assessment and breach reporting/logging requirements for digital service providers that operate an ecosystem. The clear benefit of having such a system in place is the increased protection of client data as well as improved portability of applications between different vendors.
- Encryption key management
- Encryption in transit
- Indirect access to data
- App server configuration
- Vulnerability management
- Encryption at rest
- Audit logging
- Data hosting
- Security monitoring practices and breach reporting
This creation of common security standards across multiple accounting API ecosystems is a world first. The move has been largely welcomed as a raising of the ‘best practice’ bar. Those digital service providers that have proven compliance against Xero’s criteria should be looking to capitalise on the competitive advantage that such a comprehensive security position demonstrates.
What’s to come after the 30th of June?
Here at ISMS.online, helping organisations keep their data secure is our mission, which is why we’ve already built the framework for compliance with the Xero standard into our simple, yet powerful platform. If you’ve got a self-assessment on the horizon, we can help you get through it in a structured and efficient way. By managing, collaborating and demonstrating your compliance all from one point in the cloud, the first – then annual – self-assessment process becomes a simple exercise, rather than a time consuming process.
While Xero’s focus is on technology controls, it doesn’t address two of the most significant vulnerability areas in service delivery, physical infrastructure and human resources. That’s why we’d recommend a combination of the minimum set of controls within the Xero standard and a more strategic approach to information security management through ISO 27001 certification. ISO 27001 considers people and organisational processes, as well as physical security and certification, is rapidly becoming a must-have for doing business.
If you’d like to know how we can help you get there, our team is ready to help.