Right I have a confession to make – I didn’t do a good job of choosing our website CMS (Content Management System) provider.

As a SaaS business, I’m always keen to use SaaS solutions wherever possible, so when our marketing team rebuilt our ‘marketing’ website around 12 months ago I encouraged them to choose a company who offered a SaaS CMS platform.

The functionality of the CMS system we opted for was pretty good, which was important to the marketing team. However we didn’t do a good enough job of vetting their service delivery and operational procedures.

This came home to roost earlier in the week, when we accidentally deleted some image files from the CMS platform, which meant the images on some web pages were missing. No big deal you might think, let’s call the provider and ask them to restore the deleted images.

This is when the problems started – the provider (who I won’t name here) was able to restore the images, but couldn’t restore the URL references inside the pages which were automatically deleted when the image files were removed.

So after several frantic hours on the phone it turns out they didn’t have a full back-up of our web pages, they only had a partial backup. So our team was left to spend many hours manually recreating the URLs that had disappeared.

A few missing images on our web page isn’t the end of the world – but it illustrates how reliant you become on the capabilities of your provider.

In an environment where many companies are claiming to be SaaS providers it really is worth taking the time out to check their capabilities. So I’ve put together a quick checklist which you might want to use when speaking to SaaS providers. We will use it when choosing our next provider!

Infrastructure

  • Where is their infrastructure located?
  • How physically secure is the infrastructure?
  • How is resilience achieved?
  • What type of protection have they against theft, fire or flood?
  • Power – what happens if there is a power cut, do they have UPS, Generator or Alternative Power Supply?
  • What happens if there is a major disaster and the site is physically destroyed (Think Bunsfield or Plane Crash)?
  • How quickly can they recover? How would they source new hardware, do they have a hot or cold standby site?

Procedures 

  • What is their back-up procedure?
  • How often do they test their restore process?
  • When was the last time they restored a customer’s data?
  • How do they monitor their infrastructure?

Security 

  • What is their Information Security Policy?
  • Are they working towards or have they achieved ISO27001?
  • Do they have third-parties conduct penetration tests (white hacking) and if so how often?