Varnish Software is committed to meeting legal, customer and partner requirements through continual improvement and control of Varnish Software's solutions, products, support, services and business processes.

Contact Us

Varnish Software ISO 27001 Certification

Varnish Software has been ISO 27001 certified since April 2023, with an established ISMS (Information Security Management System). Varnish Software has achieved ISO 27001 certification for its offices in Oslo, Norway; Karlstad, Sweden; Stockholm, Sweden, and Tokyo, Japan. The ISMS is an integral part of the organization’s process and overall management structure with the aim of systematically improving and managing information security risks. The management system covers, among other things, changes to the information environment, information handling, supplier management and the HR process to ensure that information confidentiality, integrity and availability is maintained in a suitable manner.

The ISO 27001 Standard

ISO 27001 is a risk-based management system for information security. It means the organization needs to identify which information security risks apply to the organization and select the appropriate controls to mitigate them. Mandatory parts of the standard are:

Context of the organization. The intended scope of the standard in the organization.

Leadership. Management's commitment to maintaining an effective management system as well as information security policy and the formal establishment of security-related roles and responsibilities.

Planning. Activities like risk assessments and risk management.

Support. Provide the necessary resources, training, and communication regarding security.

Operation. Carry out risk assessments and risk treatment.

Performance evaluation. Security monitoring, internal audit and management review.

Improvement. Seize opportunities to make security processes and controls better over time.

Pexels Joris Eschalier 19168467

The Compliance Function Within Varnish Software

Compliance is an important part of the Varnish Software organization with the main task of ensuring legal compliance, compliance with company policies and supporting the organization and driving awareness. Varnish Software’s compliance agenda is led by the compliance officer with both an internal and external focus. 


  • Identifying relevant risks an organization faces and ensuring that operations are in line with regulatory standards

  • Designing and implementing compliance programs while also resolving compliance difficulties as they occur in real time

  • Reviewing and commenting on policies and procedures

  • Acting as an advisor and providing input to senior management

  • Driving training and awareness initiatives

  • Driving improvements by ISO 27001 standards


  • Serving as the official channel of communication with regulators

  • Reviewing documents to be submitted to regulators

  • Clarifying laws and guidelines with regulators

  • Reviewing and approving customer compliance-related agreements

Diego Ph Fiq0tet6llw Unsplash

Varnish Software Compliance Lines of Defense

Varnish Software directs and leads its compliance work based on the three lines of defense. The ambition is to constantly strengthen, develop and improve each line to ensure compliance with laws, regulations and customer requirements.

First Line: Varnish Software’s first line of defense is its employees who are involved in developing, designing, supporting and selling our products. Their obligations are to report any incident, event, risks or nonconformities related to Varnish Software products, operations and customers.

Second Line: Varnish Software’s second line of defense is the risk-related functions (IT and information security functions at Varnish Software). Their obligations are to treat and mitigate any incident, event, risks or nonconformities related to Varnish Software products, operations and customers.

Third Line: Varnish Software’s third line of defense is the compliance function. This is made up of external and internal auditors who independently evaluate compliance risks and controls. 

They are also responsible for reporting to the management team. Varnish Software ensures compliance with laws, regulations and customer requirements preliminarily with the following activities:

Internal Audit Program (ISO 27001), performed annually

External Audit Program (ISO 27001), performed annually

Finance Audit Program (law) including ISA 315 (information security)

Risk management procedure and reporting

Incident management procedure and reporting

Improvement management procedure and reporting

Varnish Software

Compliance Culture

Varnish Software strives for and encourages its employees and partners to continuously consider, assess, and evaluate any compliance risks related to Varnish Software services and operation and report risk according to established procedures. Varnish supports a compliance culture where:

  • All employees understand the compliance risks relevant for their respective role.

  • All employees, managers and members of the management feel empowered to take active steps to ensure Varnish Software remains compliant with applicable laws, rules and regulations.

  • Compliance role models are highlighted and ethical behavior is rewarded.

  • A willingness to report incidents or risks related to compliance is encouraged.


Information at Varnish Software

Varnish Software uses the security controls from the ISO 27001 standard as a baseline to provide secure services for our customers.

Varnish Software Information Security Management System, ISMS processes, policies, processes, procedures and guidelines describe how the work with information security shall be conducted. The ISMS follows an iterative cycle of phases to plan, implement, monitor and improve. Varnish Software’s CEO is the ultimate owner of and responsible for information security within Varnish Software. The compliance officer is responsible for the ISMS and the associated activities and reports to the COO.

The work on information security within the framework of the ISMS is based on operational risk, security risks and regulatory requirements. Risk management identifies risks associated with privacy, traceability, loss of confidentiality, integrity and availability of information within the scope of the ISMS.

ISMS planning is based on the business purpose of information security and is implemented top down, with the business context as the foundation. Varnish Software ensures that the ISMS can achieve its intended outcome, prevent or reduce undesired effects and enable continual improvement.

To verify status and progress according to ISO 27001 requirements, governance and operational activities are monitored.

Connect with Our Team

We’re happy to help with any questions you may have about our compliance processes, software, support or anything else Varnish related.

Ico Try Varnish

Try Varnish

  • Explore our products
  • Free trial
  • Fully functional
Icon Speech White

Live chat

Talk with an advisor about the right solution for your needs

Card Circles
Ico Msg Us

Message us

We have offices across the globe who can help answer any questions you may have.

Request a free trial