Certifications & Audits

Certifications & Audits


Cloud Computing Compliance Controls Catalogue (C5)

Fabasoft is the first European provider of cloud services to have received the attestation pursuant to the requirements of the catalogue of requirements C5(Cloud Computing Compliance Controls Catalogue, in short: C5), issued by the Federal Office for Information Security (BSI). The KPMG Alpen-Treuhand GmbH Wirtschaftsprüfungs- und Steuerberatungsgesellschaft issued the attestation. The C5 attestation from KPMG pursuant to the requirements of the BSI is a recognized and reliable proof which transparently reveals the high level of information security of the Fabasoft Cloud for all Fabasoft Cloud customers. 

The catalogue of requirements of the BSI specifies the minimum requirements that cloud service providers must meet. The defined surrounding parameters are an integral characteristic of the BSI C5 and ensure transparency with regard to system description, jurisdiction and locations of data storage, data processing and data backup, disclosure and investigation powers, as well as certifications

More information about C5



EuroCloud Star Audit

Fabasoft now has successfully completed the “EuroCloud Star Audit”. Fabasoft is the first company in the world to receive five stars for its Cloud services, the highest possible certification by the international “EuroCloud Star Audit” (ECSA V3.0). The certification system used for the audit and for the external quality evaluation of Cloud services in Europe is based on best practices and is carried out by the renowned organisation EuroCloud Europe.​

While the testing procedures of many recognised auditing institutions put their focus on the security and compliance with data protection within a Cloud environment, the EuroCloud Star Audit (ECSA) has an approach to certification that is unique in Europe: on the basis of a comprehensive and entirely disclosed list of criteria, it checks the quality standards of the Cloud’s entire value-added chain. ECSA therefore always has a view of the entire supply chain of a Cloud ecosystem. In an audit, the strict criteria applied to the quality standards of embedded suppliers of infrastructure and platform or of a “Federated Cloud” are the same as those applied to the audited Cloud provider himself.

The list of auditing criteria comprises full details of the service provider and the actual location of the data, regulations regarding contracts and compliance, security and data protection, infrastructure operations and their related processes as well as the evaluation of the specific service types Iaas, Paas and Saas. On the basis of this important number of criteria, scientific studies have attested to the high standard of quality and the important industrial influence of the pan-European business association EuroCloud.

Advantages for Fabasoft’s customers

The Cloud certification bears many advantages for Fabasoft’s customers, such as the guaranteed refund of the monthly service charges if the service level agreed by contract is not fulfilled or if there are any system failures. The certification furthermore guarantees that the customer’s data will be retransmitted by way of a predefined process once the contract is terminated – to name just a few benefits.

For more information on the ECSA certification click here.



ISO 9001 - Quality Management

Since 2005 the entire Fabasoft company has been ISO 9001 certified. Once a year our quality management is audited and certified by a leading certification body.

The aims of the audit are to examine the conformity with demand models and the identifying of potential for the further development of the quality management system. TÜV AUSTRIA CERT GMBH has successfully carried out the surveillance audit in July 2016.

Continuous Improvement

The quality management system at Fabasoft is a living system. This means that work methods, processes and their corresponding documentation are continuously adapted to the new data and constantly undergoing improvements.

All Fabasoft business-relevant processes are depicted in the form of graphic process diagrams in the process landscape in the internal system. The further development, checking and approval of these processes is the responsibility of the process owner and is defined for every process.

Focus on Customer Orientation

A strategic aim of Fabasoft lies in a strong customer orientation of the quality management system. At Fabasoft customer satisfaction is of the highest importance. Fabasoft customers have the opportunity to share their opinions and improvement suggestions with us. In regular meetings (User Group) customers can give their feedback directly to the Fabasoft employee in charge. The results and evaluations of customer surveys are analyzed and integrated into the improvement processes to ensure that the customer demands are met.

ISO 9001 Certification


ISO 20000-1 - IT Service Management

In May 2011 Fabasoft received the ISO 20000 certificate for the IT services Folio Cloud (today: Fabasoft Cloud) and Folio SaaS for the first time. The ISO 20000-1 standard is an internationally recognized standard for IT service management systems which documents the requirements for professional IT service management.

Implementation of International Standards

With this certification, Fabasoft underlines its strategy of implementing international standards.

ISO 20000-1 serves as a measurable quality standard for IT Service Management (ITSM). The aim of ISO 20000 is to deliver a higher quality of IT services to customers. Alignment according to the needs and requirements of customers plays a primary role.

Conformity with ITIL

The standard also serves as an instrument to model processes in an optimized management system as they are described in the Office Government Commerce (OGC)’s IT Infrastructure Library (ITIL). This encompasses such core processes as change, release, incident, problem and security management.

The certification brings with it many advantages. Alongside the targeted improvement of processes through regulated structures, service level maintenance, customer satisfaction and availability of services are more easily measurable by means of key performance indicators.

TÜV AUSTRIA CERT GMBH has successfully carried out the surveillance audit in July 2016.

ISO 20000 Certification


ISO 27001 - Information Security

In June 2008 Fabasoft received the ISO 27001 certificate for the first time. The standard is a globally recognized standard for the assessment of the security of IT environments.

Clearly Defined Standards

The certification’s range of validity specifies the requirements for fully comprehensive information security management concerning all IT and business processes as well as all confidential company information. For customers, the ISO 27001 certification means compliance with clearly defined technical and security based standards and thereby defined service levels for the Fabasoft data centers.

Continual Adaptation

Periodical internal controlling of the processes and provisions detailed in the ISO 27001 is the basis for the further development of internal IT security standards and the continual adaptation according to changing frameworks and tasks.

TÜV AUSTRIA CERT GMBH has successfully carried out the surveillance audit in July 2016.

ISO 27001 Certification


ISO 27018 - Protection of personal data

In July 2015 Fabasoft was audited successfully and gained also certification under ISO 27018. The international standard was established for the first time in August 2014 and specifies data protection requirements for cloud service providers.
They have to undertake major obligations regarding notification, information, transparency and burden of proof in order to build trust with clients and public institutions concerning the processing of personal data within the cloud. TÜV AUSTRIA CERT GMBH has successfully carried out the surveillance audit in July 2016.

ISO 27018 Certification


TÜV Rheinland

TÜV Rheinland i-sec GmbH certification body certifies that Fabasoft R&D GmbH has achieved the following objectives for the Fabasoft Cloud, Fabasoft Folio SaaS, HeadsUp! User Engagement, and Mindbreeze InSite services for the cloud infrastructure and cloud application:


  • Effectiveness in selecting the data location
  • Secure hosting of data
  • Secure data transmission
  • Secure operation of business-critical applications
  • Quality and availability of service provision – high service continuity, high on-demand scalability
  • Security and quality of data access and data storage – secure login procedure, andauthorization systems to control data access at network level
  • State-of-the-art protection against attacks

Proof was provided on site in the form of random external and internal security analyses as well as an audit of the technical, physical as well as organizational security measures, and business processes. The test report 63007063-01 forms part of this certificate.

TÜV Rheinland i-sec GmbH tests the effectiveness of the assessed process through annual monitoring audits.

For more information please click here.

TÜV Rheinland Certificate


ISAE 3402 Type 2

The International Standard on Assurance Engagements (ISAE 3402) is the international testing standard that assesses the effectiveness of internal control systems (IKS) of service providing organizations. The standard was created by the International Auditing and Assurance Standards Board (IAASB) as a successor to the SAS 70 Standard. Up until 2011 Fabasoft was tested according to the AICPA’s reporting standard SAS 70 Type 2, afterwards according to ISAE.

ISAE 3402 aims to extensively test an organization’s internal control system and to rate its effectiveness in detail. The testing takes place over a six month period. The ISAE 3402 test report contains the opinion of an external test company on the control procedure at the service provider, a description of the control points, the test methods and controls, information about the test period and a statement about the effectiveness of the controls.

ISAE 3402 Type 2 Certification


Audit-proof Archiving

The vision of a paper-free office is as old as the first IBM PC that fitted onto a regular desk – but we're still chasing that dream. The rules and regulations governing the storage of business records, invoices, contracts, documentation for accounts and financial records are partly to blame for this. Time limits legally required for storage vary from a few years to eternity and beyond.

Fabasoft Folio is a huge step forward, as audit-proof electronic storage eliminates the costs and space requirements needed for hard-copy storage.

Verified Quality

The PricewaterhouseCoopers auditors worked according to a checklist. Some of the most important points, which were naturally found to be without faults, were:

  • Data access. Already in the course of the ISAE 3402 Type 2 test, virtual and physical access restrictions were thoroughly checked and found to be sufficient. Client data is safe from prying eyes.
  • Data cannot be amended retrospectively.
  • Relevant documents cannot be deleted before the time limit expires –not even by Fabasoft administrators.
  • The trail from paper to electronic storage is sufficently secured.
  • All legal requirements are met.
Archive 2010 logo


IDW PS 880

KPMG Advisory GmbH reviewed the Fabasoft Cloud in terms of revision security in accordance with Austrian, German and Swiss commercial and tax law, and issued the certificate according to IDW PS 880. The Fabasoft Cloud therefore meets the required storage requirements in Germany, Austria and Switzerland (GoB compliant archiving) .
The safe and proper storage of digital data has not only become a key compliance requirement but also an existential challenge for companies. Stronger interconnectedness and current legislative changes, such as the EU Data Protection Basic Regulation, exacerbate this requirement.
In the case of the IDW PS 880 examination, an independent auditor determines whether and to what extent software solutions support the storage regulations in accordance with the applicable trade and tax law (audit-proof or GoB-compliant archiving) of the respective country in order to meet the required compliance.




MoReq stands for Model Requirements for the Management of Electronic Records and is geared towards standardizing the creation and storage of business documents in digital form. The MoReq1 project was therefore started in Europe in 2001 to establish a uniform standard for business records management software. Because of the pace of technical development, MoReq1 soon became outdated and thus it was decided to start MoReq2.

MoReq2 is today the most important specification for electronic document and record management in Europe. The European standard specifies requirements for written material administration, document and records management as well as for electronic archiving. The current version of MoReq2 was published on February 13, 2008, complete with a certification process for software products. In order to be able to call itself "MoReq2 certified", a software product must undergo an extensive testing process.

In December 2008 Imbus AG were assigned as the first official accreditation board for MoReq2 to carry out the tests and examinations as an independent institute.

The standard is the benchmark for all users who systematically manage and store electronic and paper information. Jef Schram from the European Commission in Brussels on the motives behind the standard: "MoReq2 offers an extensive specification of requirements for the management of electronic records and business processes across the whole of Europe." MoReq2 is intended for users from the private and public sectors, for manufacturers and consultants, as well as for associations and eductional organizations.

MoReq2 logo



Equal opportunities for people with disabilities and their integration into society and work require the accessible use of software, which is also defined by law.

The user interface of the Fabasoft Public Cloud is not only easy and intuitive to use but is also  available in 22 different languages. Moreover, it is almost 100% accessible and offers equal opportunities for people with impairments, as the certificate “very accessible” granted by Pfennigparade Center for Accessibility on the Internet in January 2015 attests. 

The Fabasoft eGov-Suite is offering accessibility for almost all kinds of disabilities. In September 2013, Pfennigparade tested the web application Fabasoft eGov-Suite 2013 for accessibility. The practical accessibility of the application corresponds to an overall result of 93.5 points of a BITV test. The Fabasoft eGov-Suite 2013 is therefore “very accessible”.

Pfennigparade logo