Security

ISO 27001 Accreditation

We have achieved ISO 27001 – Information Security Management certification awarded by UKAS accredited British Assessment Bureau.

At base we are committed to security for both ourselves and all our customers. We are constantly striving to be at the forefront of information security and ISO 27001 compliance further demonstrates our outstanding security practices.

It further shows our commitment and shows our customers know that we are managing their data with security controls aligned with ISO27001.

Incident Reporting

We practice blameless postmortems at base to ensure we understand and remediate the root cause of every incident with a severity of level 2 or higher. This policy excerpt describes our internal documentation describing how we run postmortems at base.

What is postmortem?

A postmortem is a written record of an incident that describes:

• The incident's impact.
• The actions taken to mitigate or resolve the incident.
• The incident's root cause.

Follow-up actions taken to prevent the incident from happening again.

At base, we track all postmortems with Jira issues to ensure they are completed and approved.

Postmortem process

Running the postmortem process includes creating a postmortem issue, running a postmortem meeting, capturing actions, getting approval and (optionally) communicating the outcome.

The postmortem owner is responsible for running through these tasks:

• Create a postmortem and link it to the incident.
• Edit the postmortem issue, read the field descriptions and complete the fields.
• To determine the root cause of the incident, use the "Five Whys" technique to traverse the causal chain until you find a good true root cause.
• Schedule the postmortem meeting. Invite the delivery team, impacted teams and stakeholders, using the meeting invitation template.
• Meet with the team and run through the meeting schedule below.
• Follow up with the responsible dev managers to get the commitment to specific actions that will prevent this class of incident.
• Raise a Jira issue for each action in the backlogs of the team(s) that own them. Link them from the postmortem issue as "Priority Action" (for root cause fixes) or "Improvement Action" (for other improvements).
• Look up the appropriate approvers in Confluence and add them to the "Approvers" field on the postmortem.
• Select the "Request Approval" transition to request approval from the nominated approvers. Automation will comment on the issue with instructions for approvers.
• Follow up as needed until the postmortem is approved.

Once the postmortem process is done, the actions are prioritized by the development team as part of their normal backlog according to the team's SLO.