The perception that cloud based web applications are inherently less secure than the installed equivalents is not correct. However the difference between a development company who follows best practice, or better than best practice, and has recognised systems in place to identify, monitor and improve software security compared to a provider that does not will lead to large differences in how secure software is.
ISO 27001 (full name ISO/IEC 27001:2013 - Information technology - Security techniques -- Information security management systems) is an internationally recognised standard that has data security at its core.
The standard covers all types of organisations (not just software companies) and specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS) within the context of the organisation's overall business risks.
What that means is that we have policies covering all data and processes at Full Metal Software, not just data on our servers as it is not just IT Security, it is Information Security (be that digital or printed) and also includes a disaster recovery plans for all sorts of scenarios that are tested annually.
We monitor that we are following those processes and that we have an obligation to keep improving on those processes as new information or best practice becomes available.
As stated above it is a continual improvement standard and Full Metal Software has implemented the Plan Do Check Act Process of improvement (the Standard does allow other process models).
As you can see from the above diagram our improvement process encompasses both current and new policies constantly.