Record of Processing Activities
Transfer Impact Assessment
Privacy Impact Assessment
Cybersecurity Controls
Cybersecurity Risk Management
Interactive Awareness Program
Minimum Viable Secure Product (MVSP)
The security baseline for B2B software vendors — backed by Google, Salesforce, and Okta. 25 controls. Achievable in weeks. Required by enterprise procurement.
The minimum security checklist
enterprise buyers actually use
Minimum Viable Secure Product (MVSP) is an open security checklist created by security teams at Salesforce, Google, Okta, Slack, and others. It defines the minimum acceptable security posture for B2B software and outsourcing providers.
Unlike ISO 27001 (114 controls) or SOC 2 (variable), MVSP has exactly 25 controls across four categories: Business, Application, Operational, and Privacy. It's designed to be achievable by any serious software vendor — not just large enterprises with dedicated security teams.
Why MVSP is the right starting point
for B2B software vendors
Fastest security baseline to achieve
MVSP has 25 controls — compared to 114 for ISO 27001:2013. For a startup that needs to demonstrate security posture quickly, MVSP is achievable in weeks, not months.
The gateway to ISO 27001 and SOC 2
MVSP controls map directly onto ISO 27001 Annex A and SOC 2 Trust Services Criteria. Implementing MVSP correctly gives you a 40–60% head start on both larger certifications.
Required by major enterprise customers
MVSP is backed by Salesforce, Google, Okta, Slack, and others. An increasing number of enterprise procurement teams use MVSP as their minimum vendor security standard.
Vendor security assessment tool
Large organizations use MVSP to triage suppliers. If you supply to enterprise customers, being able to fill in an MVSP self-assessment accurately speeds up procurement and reduces sales cycle length.
The 25 MVSP controls — what you need to implement
MVSP covers four areas. All 25 controls are trackable and evidence-linked in the Unicis platform.
Business Controls
4 controlsVulnerability management
Maintain a documented process for identifying and remediating security vulnerabilities.
Security updates
Apply security patches within 90 days for medium/low, 30 days for high, and 14 days for critical vulnerabilities.
Secure development
Implement OWASP Top 10 controls in software development. Conduct annual security training for developers.
Third-party security
Maintain an inventory of key suppliers and subprocessors, assess their security posture, and include security requirements in contracts.
Application Controls
4 controlsSingle Sign-On
Support SSO via SAML 2.0 or OAuth/OIDC. Allow enterprise customers to manage access through their identity provider.
HTTPS enforcement
All services accessible over the internet must use TLS 1.2 or higher. HTTP redirects to HTTPS.
Security headers
Implement standard security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and others.
Password policy
Enforce minimum 8-character passwords (or 6 for 2FA-enabled accounts). No maximum password length restrictions.
Operational Controls
4 controlsPhysical security
Production systems hosted in ISO 27001 or SOC 2 certified data centers. Physical access controls documented.
Encryption at rest
Sensitive data encrypted at rest using AES-256 or equivalent. Encryption key management policy documented.
Audit logging
Audit logs for security-relevant events retained for at least 90 days. Logs protected from tampering.
Penetration testing
Annual penetration test by a qualified third party. High/critical findings remediated before next production deployment.
Privacy Controls (EU)
4 controlsGDPR Article 28
Data Processing Agreement available for customers. Documents sub-processors and data handling obligations.
Data deletion
Customer data deletion available on request and within 30 days of account termination.
Data portability
Ability to export customer data in a standard format (CSV, JSON) on request.
Sub-processor transparency
Public list of sub-processors maintained and kept up to date. Notification process for sub-processor changes.
MVSP use cases by company type
Early-stage startups
You need to respond to a security questionnaire from your first enterprise customer. MVSP gives you a structured self-assessment format that answers the most common vendor security questions.
B2B SaaS companies
Before you can afford ISO 27001 certification, MVSP establishes the security baseline that enterprise customers expect. It demonstrates you've thought systematically about security.
Outsourcing & service providers
MVSP was specifically designed for outsourcing providers. If you provide managed services, development services, or data processing, MVSP is the standard your clients will measure you against.
SMEs preparing for ISO 27001
Use MVSP as your starting point. Unicis maps MVSP controls to ISO 27001 Annex A, so every MVSP control you implement is already credited toward your ISO 27001 certification journey.
Use MVSP as your
ISO 27001 foundation
Every MVSP control maps to one or more ISO 27001:2022 Annex A controls. When you implement MVSP in Unicis, those controls are automatically credited toward your ISO 27001 GAP analysis.
Unicis shows you the cross-framework mapping in real time — so you can see exactly how your MVSP implementation progress translates into ISO 27001 readiness. This is unique to open-source platforms that support multi-framework control mapping.
- MVSP 25 controls → ~40% ISO 27001 Annex A coverage
- Cross-framework mapping calculated automatically
- GAP analysis shows remaining ISO 27001 controls
- Same evidence linked across both frameworks
MVSP → Larger frameworks
Approximate coverage — exact mapping tracked in Unicis
How Unicis implements MVSP
Unicis Atlassian Apps
Unicis Platform Modules
Who should adopt MVSP?
MVSP applies to any organization building or delivering enterprise software and digital services — including technology, healthcare, finance, government, education, retail, telecom, and legal sectors — particularly where sensitive or regulated data is processed or stored.
Multi-Framework Support
11 Compliance Frameworks Supported
From the minimum viable security baseline to enterprise-grade standards — coverage for every compliance requirement.
Start implementing MVSP with Unicis
MVSP controls are included in the free Community plan. Start today — no credit card required. Track all 25 controls with automated GAP analysis and cross-framework mapping to ISO 27001.