Support Fusion sits between organisations that need their tickets in sync. MSPs and their enterprise clients. MSPs and other MSPs. MSPs and their vendors. The data we touch moves between systems that run critical IT operations for real businesses, globally.
We can say our security is solid. We can describe our architecture, our controls, our data handling practices. But claims aren't proof. Audits are. That's why we're pursuing ISO 27001 and SOC 2 certification.
We demo Support Fusion to an MSP. They like it. They can see how it solves the rekeying problem. They want to get started.
Then they take it to their enterprise client for approval. And the client's security team asks a reasonable question: "Are they certified?"
If the answer is no, one of two things happens. The project goes into a holding pattern while the security team does a manual review of our architecture, policies, and controls. That can take months. Or the project gets parked entirely because the client has a blanket policy: no certification, no vendor onboarding.
Either way, the MSP loses momentum on a deal they've already won.
ISO 27001 is an international standard for information security management. In plain terms, it means an independent auditor has reviewed how we handle data, manage risk, control access, develop software, and respond to incidents, and they've confirmed it meets a defined standard.
It's not a one-off audit. It's a management system. Once certified, we get reviewed regularly to make sure the controls are still in place and still working.
For the MSPs and enterprise clients evaluating Support Fusion, it means three things.
First, the controls are verified. Not just documented. Checked by an independent auditor. Policies, access controls, encryption, incident response, secure development, vendor management. All audited against the standard.
Second, the review process is faster. Enterprise security teams know ISO 27001. When a vendor is certified, the security questionnaire gets shorter. Instead of asking us to describe every control from scratch, they can review the certification and focus their questions on the specifics that matter to them.
Third, it's ongoing. Certification isn't a badge you earn once and forget. The management system requires regular internal audits, management reviews, and external surveillance audits. If something slips, it gets caught.
Our ISO 27001 certification audit is booked for June 2026. The controls, policies, and secure development lifecycle are already in place. We've been operating to the standard for months. What remains is the formal independent audit and the certification itself.
SOC 2 will follow. We've structured our controls so that the ISO 27001 work feeds directly into the SOC 2 process, rather than running two parallel certification programmes. SOC 2 is particularly important for our US customers, where it's often the first certification enterprise security teams ask about.
We know that "coming soon" isn't always enough. If your client's security team needs to evaluate us before the certification is finalised, we can share our security architecture documentation, data handling practices, and secure development lifecycle documentation directly.
These have already been reviewed by enterprise security teams at several large managed service providers and their clients. We're happy to go through them on a call, or send them through for your client's team to review independently.
ISO 27001 is the standard most recognised in Australia, the UK, and across Europe. SOC 2 is the standard most US enterprise buyers ask for first. Our customers operate in all of these markets, so we need both.
We also know that certifications aren't the finish line. They're the baseline. The real work is building security into how we operate every day, not just how we prepare for an audit. The least-data approach we take to ticket handling (we've written about that separately) is one example. Storing API keys in a separate secrets manager is another. These aren't audit-driven decisions. They're design decisions we made from day one because they're the right way to handle other people's data.
Independent certification is how we prove it.
Support Fusion connects IT ticketing systems including ServiceNow, ConnectWise, Autotask, Jira, HaloPSA, Zendesk, and more. If security certification is on your checklist, or you're heading into a vendor review with an enterprise client, book a demo and we'll walk you through our security posture in 15 minutes.