Parolla Limited is certified to ISO/IEC 27001:2022.
That is an important distinction in the Irish payroll software market, you’d be surprised how few companies are fully certified themselves.
Some payroll platforms describe themselves as ISO 27001 aligned. Others emphasise that they are hosted in an ISO 27001-certified data centre. Desktop software providers may point out that the customer stores the payroll data on their own computer or network.
These can all be relevant security considerations—but none is the same as the payroll software company having its own independently certified Information Security Management System.
A useful analogy is:
ISO-certified hosting is like renting an office in a secure building. The building may have guards, strong locks, fire protection and controlled access, but that does not tell you whether the company inside uses weak passwords, leaves confidential files exposed or develops insecure software.
A secure building does not automatically make every tenant secure.
In the same way, a certified hosting company can protect the underlying infrastructure. Its certificate does not automatically cover the payroll application, its software developers, employee access, customer-support procedures, software updates or incident response.
That is the difference between using a certified supplier and being a certified supplier.
Certified, aligned and hosted are not the same
ISO/IEC 27001 is the international standard for an Information Security Management System, commonly called an ISMS.
An ISMS provides a structured way to identify, assess and manage information security risks across people, policies, processes and technology.
When a payroll provider refers to ISO 27001, it may mean one of several different things.
The payroll provider is ISO 27001 certified
The provider’s own Information Security Management System has been independently audited against ISO/IEC 27001 within a formally defined certification scope.
This is Parolla’s position, we are an ISO 27001 certified payroll software, independantly audited by Amtivo Ireland.
The provider is ISO 27001 aligned
The company may have adopted some policies, processes or controls from the standard.
This may represent substantial security work. However, “aligned” is not a formal certification status and does not necessarily mean that the provider’s controls have been independently assessed, or that all controls have been adopted and implemented.
The extent of alignment can vary significantly between organisations.
The software is hosted in an ISO 27001-certified data centre
The infrastructure or cloud provider holds certification for the services and locations covered by its own certificate.
This provides valuable assurance regarding the underlying hosting environment. It does not mean that the company developing and operating the payroll application is certified.
The certificate belongs to the organisation named on it and applies only to the activities included within its stated scope.
What a hosting provider’s certificate covers
A certified hosting or data-centre provider may be responsible for controls such as:
- Physical data-centre access
- Power and environmental resilience
- Hardware and network infrastructure
- Fire detection and suppression
- Physical surveillance
- Disposal of failed hardware
- Availability of the underlying hosting platform
These are important controls.
However, the hosting provider does not normally:
- Design the payroll calculations
- Review the payroll application’s source code
- Test the application for software security flaws
- Control the payroll company’s employees
- Decide which support staff can access customer information
- Manage the payroll provider’s passwords and authentication
- Approve software changes and releases
- Investigate incidents within the payroll application
- Decide what information is collected through analytics or monitoring
- Manage integrations with Revenue, banks, accounting systems or pension providers
Those responsibilities remain with the payroll software provider.
A company could host an insecure application within a highly secure and fully certified data centre. The hosting provider’s certificate would not necessarily identify or address weaknesses in the application because the software developer’s activities sit outside the host’s certification scope.
What about desktop payroll software?
A different argument is sometimes made by providers of traditional desktop payroll systems:
“We do not host the customer’s payroll database, so we do not need an Information Security Management System.”
That conclusion is too simplistic.
Locally installed payroll software changes how security responsibilities are divided, but it does not remove the software developer’s information security responsibilities.
With a desktop payroll system, the customer may be responsible for:
- Securing the computer and local network
- Controlling operating-system user accounts
- Encrypting devices and storage
- Installing operating-system security updates
- Restricting access to shared drives
- Protecting payroll backups
- Managing antivirus and endpoint security
- Preventing payroll files from being copied or emailed insecurely
Those responsibilities are significant.
However, customer-hosted data does not mean that the software company has no security risks to manage.
The software developer remains responsible for the security, integrity and quality of the product it creates and distributes.
Another analogy helps explain this:
Selling a safe for installation in a customer’s office does not remove the manufacturer’s responsibility to design a secure lock.
The customer must protect the room in which the safe is stored. The manufacturer must still ensure that the safe does not contain a design flaw that allows it to be opened.
Why desktop software developers still need an ISMS
Whether payroll software is cloud-based or installed on a customer’s computer, the developer should have a structured process for managing risks throughout the software lifecycle.
Secure software development
Security weaknesses can be introduced during software design, coding, testing or deployment.
An ISMS should define how software changes are authorised, reviewed, tested and released. It should also address:
- Access to source code
- Secure coding practices
- Code review and testing
- Separation of development and production responsibilities
- Third-party software dependencies
- Vulnerability management
- Correction of identified defects
- Protection of development and build environments
The location of the customer’s database does not prevent a programming error from exposing, corrupting or incorrectly processing payroll information.
Software errors and payroll integrity
A security incident does not always involve an external hacker.
A software defect could:
- Apply an incorrect payroll calculation
- Associate information with the wrong employee
- expose data between employers
- Generate an incorrect payment file
- Produce inaccurate Revenue submissions
- Corrupt payroll records
- Display sensitive information to an unauthorised user
An effective ISMS should consider the confidentiality, integrity and availability of information.
For payroll software, integrity is particularly important. Employers must be able to trust that calculations, deductions, submissions and reports are complete and accurate.
Software updates and distribution
Desktop software still needs to be downloaded, installed and updated.
The provider should manage the security of its:
- Development environment
- Software build process
- Installation files
- Download servers
- Code-signing arrangements
- Update mechanism
- Release approval process
A compromised update system could distribute malicious or altered software directly to customers.
An ISMS creates clear accountability for who can build a release, who can approve it, how its integrity is verified and how the provider responds when an update is defective or compromised.
APIs and external connections
Modern desktop applications are rarely completely isolated.
Payroll software may connect to:
- Revenue services
- Pension or automatic-enrolment systems
- Accounting platforms
- Banking systems
- Payment providers
- Licence-management services
- Software-update servers
- Customer-support tools
These connections create security questions that cannot be answered simply by saying that the main payroll database is stored locally:
- What employee information is transmitted?
- How is the connection authenticated?
- How are certificates, tokens and passwords protected?
- Are requests and responses logged?
- Could sensitive information appear in error messages?
- What happens if an external service is unavailable or compromised?
- How are failed or duplicate submissions handled?
- How quickly can the software be updated when an API changes?
- Can one customer’s credentials or data be exposed to another?
These risks require formal ownership, assessment and treatment.
Metrics, telemetry and error reporting
A desktop application may communicate with its developer for:
- Licence activation
- Update checking
- Usage measurement
- Performance monitoring
- Diagnostic reporting
- Crash reporting
- Product analytics
- Error investigation
Not every application collects this information, and the level of collection varies. However, where these functions exist, the fact that the primary database remains on the customer’s computer does not mean that no information leaves the system.
Diagnostic information can unintentionally contain:
- Employee names or identifiers
- Company names
- Usernames
- File paths
- Payroll values
- API requests or responses
- Database queries
- Authentication information
- Application screenshots
- Details of the customer’s computer or network
An ISMS should identify these information flows and ensure that the provider:
- Collects only information that is necessary
- Documents what is collected
- Protects information during transmission
- Restricts access to diagnostic data
- Defines appropriate retention periods
- Deletes information when it is no longer required
- Prevents personal or confidential information from being included unnecessarily
Calling information “anonymous metrics” does not make it anonymous if it can identify a customer, employer, employee or device.
Customer support and remote access
Desktop software providers may ask customers to send:
- Payroll backups
- Screenshots
- Log files
- Diagnostic reports
- Exported payroll records
- Revenue submission files
Support may also involve remote-access software or screen sharing.
A payroll backup can contain extensive personal and financial information. Once a copy is sent to the software provider, important questions arise:
- Who can open it?
- Where is it stored?
- Is it encrypted?
- How long is it retained?
- Is it included in support-system backups?
- How is it securely deleted?
- Can support staff copy it to another device?
- Is access logged and reviewed?
- Are support staff trained in handling payroll information?
- What happens if the file is sent to the wrong recipient?
The software provider needs policies and controls for managing this information, regardless of where the customer normally stores the payroll database.
Security incidents and vulnerability disclosure
Every software company should have a structured process for receiving, assessing and resolving security reports.
That process should answer questions such as:
- Where can a customer or security researcher report a vulnerability?
- Who assesses its severity?
- How quickly are serious issues escalated?
- How are urgent patches developed and tested?
- How are affected software versions identified?
- When are customers notified?
- How are incidents investigated and documented?
- How does management confirm that corrective action was effective?
These are management-system questions, not hosting questions.
Does every payroll software provider legally require ISO 27001 certification?
ISO 27001 certification is not automatically a legal requirement for every payroll software company.
However, the absence of cloud hosting does not remove the need for effective information security governance.
Data-protection law requires organisations to implement appropriate technical and organisational measures based on the nature, scope, context and risks of the processing.
A provider may attempt to demonstrate this through internal policies, contractual commitments, security assessments or another recognised framework.
ISO/IEC 27001 certification adds independent assurance. It demonstrates that the provider has established a formal system for identifying, managing, reviewing and continually improving its information security risks within the certificate scope.
For payroll software, those risks exist whether the product is:
- Delivered through a web browser
- Hosted in a public cloud
- Hosted on private infrastructure
- Installed on a customer’s computer
- Operated from a customer-controlled network
The allocation of risks may change, but the risks do not disappear.
Certified, aligned and hosted compared
| Security position | What it means | Has the payroll provider itself been independently certified? |
|---|---|---|
| ISO 27001 certified | The provider’s own ISMS has been externally audited within a defined scope | Yes |
| ISO 27001 aligned | The provider has adopted some or all of the standard without necessarily completing certification | Not necessarily |
| Hosted by a certified provider | The hosting or infrastructure supplier is certified within its own scope | No |
| Customer-hosted desktop software | The customer controls local storage, but the software provider retains responsibility for product and development security | Not necessarily |
A payroll software provider may benefit from several of these approaches.
It may operate its own certified ISMS, use additional controls aligned with other recognised frameworks and rely on certified technology suppliers.
The critical question is whether the provider itself is an ISO 27001 certified payroll software company that has been independently assessed.
What Parolla’s certification means
Parolla’s own Information Security Management System has been independently audited and certified to ISO/IEC 27001:2022.
We are not simply relying on the certification of our hosting company, we are ISO 27001 certified payroll software
We are not describing ourselves only as aligned with the standard.
Our certification covers Parolla’s in-scope management of information security, including the people, policies, procedures and technologies used to develop, operate and support our payroll services.
Our ISMS addresses areas including:
- Information security governance
- Risk assessment and risk treatment
- Secure software development
- Access and identity management
- Change and release control
- Vulnerability and patch management
- Logging and security monitoring
- Incident management
- Backup and recovery
- Business continuity
- Employee and contractor security
- Supplier and sub-processor management
- Internal audits
- Management review
- Corrective action and continual improvement
Certification does not mean that a security incident can never happen. No responsible software provider can offer that guarantee.
It means that Parolla has established a formal, risk-based system for managing information security—and that this system has been independently examined against an internationally recognised standard.
Ask who actually holds the certificate for the ISO 27001 certified payroll software
When evaluating payroll software, do not stop at the statement:
“We use ISO 27001-certified infrastructure.”
Ask:
- Which legal entity is named on the certificate?
- Is it the payroll software provider or its hosting company?
- What products, services and activities are included in the scope?
- Does the scope cover software development?
- Does it cover customer support?
- Which version of ISO/IEC 27001 applies?
- Who issued the certificate?
- Is the certification body appropriately accredited?
- Can the certificate be independently verified?
- Is the certificate currently valid?
For desktop software, also ask:
- How is the software-development process secured?
- How are updates built, tested and distributed?
- What information is transmitted through APIs?
- Does the application collect usage or diagnostic information?
- How are payroll backups and screenshots handled during support?
- How are security vulnerabilities reported and corrected?
- How does the provider control access to source code and build systems?
- What incident-response process does the provider follow?
Certification should follow the responsibility
Cloud providers have information security responsibilities.
Customers have information security responsibilities.
Software developers have information security responsibilities.
One party’s certification should not be used to imply that another party’s systems, software or working practices have been independently assessed.
An ISO-certified host is valuable. Secure customer infrastructure is valuable. Neither replaces the need for the payroll software provider to manage the risks created by its own people, code, integrations, support processes and technology.
Parolla is ISO/IEC 27001:2022 certified because information security responsibility should extend beyond the data centre and into the company developing, operating and supporting the payroll software itself.
Our FAQ’s page is here