TaxCalc Blog

ISO 27001: Raising the bar for customer confidence

TaxCalc has achieved ISO 27001 certification in recent months, marking a major technical  milestone.

But it represents so much more than that; it’s a public commitment to safeguarding customer data and providing peace of mind. For clients and prospects, this certification is a visible sign that their information is protected by robust, independently verified processes.

TaxCalc’s ISO specialist Philippa Harris says: “We want our customers to feel comfortable that we have done everything we possibly can to secure their data. ISO 27001 gives our customers real confidence that their information is in safe hands.”

She says: “If you're a customer evaluating potential suppliers of software such as TaxCalc, it's a fast-track way of knowing what kind of business you're dealing with. Having  ISO27001 provides reassurance and answers many of the questions they may have, knowing we're already compliant to this standard.”

What ISO 27001 means

ISO 27001 is the international standard for information security management. It requires organisations to implement a comprehensive framework of policies, procedures, and controls that address risks to data security, privacy, and business continuity. Achieving certification means TaxCalc has demonstrated not only that these controls exist, but that they are effective and continually maintained.

Protecting against multiple threats

ISO 27001 is designed to address a broad spectrum of risks – both digital and physical. TaxCalc’s framework protects against cyber threats such as malware, phishing, data leakage, as well as physical risks like unauthorised access, social engineering, and the improper handling of company assets. The company also keeps a close eye on emerging risks, such as deepfake impersonation and AI-driven attacks, ensuring that its controls and training evolve as the threat landscape changes.

Philippa explains: “You have to be at the forefront of emerging threats, you have to constantly be vigilant and consider where and how a potential incident might occur and prepare for your response.”

This means that TaxCalc’s approach is not static; it adapts to new challenges and ensures that customer data is protected from a multiple threats, both seen and unseen.

Security that goes beyond IT

While many think of information security as purely technical, ISO 27001 covers much more. TaxCalc’s approach includes technical measures like network segregation, cryptography, and malware protection, but also robust processes for hiring and onboarding staff. Philippa says: “People sometimes think a certification like ISO is about antivirus on  computers but it’s far more wide ranging. Some of it is IT security, but it’s also people security . So, it might be controls such as making sure that the staff have been appropriately vetted before you give them access to sensitive information.”

Physical security is equally important. The company ensures that only authorised individuals are present in the office, security passes are properly managed, and confidential information isn’t left unattended in meeting rooms or on desks. This cultural approach means everyone at TaxCalc plays a role in keeping customer data safe.

Training, awareness, and incident response

Security is everyone’s responsibility at TaxCalc. Regular information security training ensures all staff understand their role in protecting customer data and reporting incidents so that any suspicious activity can be addressed quickly and effectively.

Business continuity and resilience

ISO 27001 certification also means that TaxCalc has robust plans in place for business continuity. Customers can be confident that services will remain available even in the face of disruptions, whether technical or physical. “The certification also requires that we consider business continuity and have measures in place to protect operations. We provide a safe harbour for customers’ data and we've got the resilience in place to ensure that continuity in challenging circumstances.”

Supply chain security

ISO 27001 extends beyond TaxCalc’s own walls. The company requires partners and suppliers to meet the same high standards, regularly checking that third parties handling customer data have appropriate security controls and certifications in place. This approach reduces risk from every angle, ensuring that customer information remains protected even when external vendors are involved.

As Philippa explains: “There’s also a level of checks and balances we must make against our supply chain, which is another element of ISO. You're checking that third parties are doing what they say, potentially auditing them and checking what certifications they have.”

Ongoing compliance and continuous improvement

ISO 27001 is not a one-off activity. Certification requires ongoing vigilance, regular external audits, and continuous internal reviews to ensure standards are maintained and improved. “BSI, as our certification body, will come back annually and they'll go through and deep dive in certain areas to check that we are still upholding those high standards and that we haven't let things slip,” says Philippa.

Internally, TaxCalc conducts its own audits to identify and close any gaps, making sure the safety of both company and customer data remains central to its mission. This ongoing process means that TaxCalc is always adapting to new risks and strengthening its defences.

 [PH1]Not just technical...maybe technical and operational?