In December last year, Xero announced it was rolling out a new global security standard. The standard came into effect in January this year, giving partners a six-month window to complete a security self-assessment by the 30th June 2020. In order to meet the new standard, any third-party add-on developers with more than 1,000 connections to the Xero’s range of APIs were required to demonstrate compliance. This included any global app partners with connections to the Xero API and WorkflowMax API, Xero Practice Manager, Xero Tax or Xero HQ.
The basis of the Xero approach is a set of standards developed by the Australian Tax Office (ATO), focused on digital services providers with add-on marketplaces. The standards outline a minimum self assessment and breach reporting/logging requirements for digital service providers that operate an ecosystem. The clear benefit of having such a system in place is the increased protection of client data as well as improved portability of applications between different vendors.
Sections outlined in the ATO’s Security Standard for Add-on Marketplaces directly reflects the Xero self assessment structure:
- Encryption key management
- Encryption in transit
- Indirect access to data
- App server configuration
- Vulnerability management
- Encryption at rest
- Audit logging
- Data hosting
- Security monitoring practices and breach reporting
This creation of common security standards across multiple accounting API ecosystems is a world first. The move has been largely welcomed as a raising of the ‘best practice’ bar. Those digital service providers that have proven compliance against Xero’s criteria should be looking to capitalise on the competitive advantage that such a comprehensive security position demonstrates.
What’s to come after the 30th of June?
Once Xero’s technology partners have elevated their security practices, the next logical step will be to extend the new standards to those professional service providers interacting with the platform. With accountants being top of that pyramid, we’d expect to see the Institute of Chartered Accountants in England and Wales (ICAEW) and Association of Chartered Certified Accountants (ACCA) here in the UK follow suit with some improved standards of their own. Now is the time for both organisations to take a strong position on practice assurance with respect to data security.
Here at ISMS.online, helping organisations keep their data secure is our mission, which is why we’ve already built the framework for compliance with the Xero standard into our simple, yet powerful platform. If you’ve got a self-assessment on the horizon, we can help you get through it in a structured and efficient way. By managing, collaborating and demonstrating your compliance all from one point in the cloud, the first – then annual – self-assessment process becomes a simple exercise, rather than a time consuming process.
While Xero’s focus is on technology controls, it doesn’t address two of the most significant vulnerability areas in service delivery, physical infrastructure and human resources. That’s why we’d recommend a combination of the minimum set of controls within the Xero standard and a more strategic approach to information security management through ISO 27001 certification. ISO 27001 considers people and organisational processes, as well as physical security and certification, is rapidly becoming a must-have for doing business.
If you’d like to know how we can help you get there, our team is ready to help.