ISO 27001 Requirement for Providers: What You Need To Know
Here’s everything you need to know about what ISO 27001 security certification means to your organization and where its data is stored.
9 July 2015
Everyone’s been talking about ISO 27001 certification, and many providers are working toward getting this certification to enhance the security of their solutions for customers.
But not all ISO 27001 certifications are the same. If you’re not familiar with what this security certification means to your organization and where its data is stored, here’s everything you need to know about ISO 27001.
What is ISO 27001?
ISO 27001 is a standard for an information security management system (ISMS), set by the International Organization for Standardization (ISO). The comprehensive program’s documentation states that ISO 27001 was developed “to provide a model for establishing, implementing, operating, monitoring, and maintaining, an information security management system.” ISO 27001 is a framework of organizational best practices and processes to identify potential risks and subsequently, establish a set of controls to protect against those risks to keep data safe. In short, this certification is the standard for providers that specifies they are following the utmost security management best practices and security controls.
Why should you care if your cloud provider has ISO 27001 certification?
This certification ensures that confidential information is secured both from a technical and organizational perspective, and it provides its customers and stakeholders with confidence in how you manage risk. Providers with this certification regularly evaluate information security risks, including threats and vulnerabilities, and they implement information security controls and forms of risk management to address company and architecture risks. Further, this certification ensures that your provider has adopted a process to ensure that all information security controls are met.
You can be more assured that your organization’s data is protected if you work with a provider that has ISO 27001 certification. Here are just a few ways using a ISO 27001 certified provider can help your organization:
- Helps ensure secure exchange of information
- Helps the organization meet your legal obligations
- Helps the organization comply with other regulations
- Helps provide the organization with a competitive advantage
- Helps manage and minimize risk exposure
- Helps protect the company, assets, shareholders, directors and stakeholders.
If you operate in a heavily regulated industry such as financial services or life sciences, ISO 27001 certification is particularly important as it specifies the controls necessary in meeting your industry’s regulatory requirements.
How does ISO 27001 certification ensure your data is protected and what does it cover?
The ISO 27001 documentation mandates that the organization must adequately provide the following four services: asset identification and valuation, risk assessment and acceptance criteria, management and acceptance of these items, and the continual improvement of an organization’s overall security program. The ISO 27001 system’s six-part planning process ensures that certified providers cover all of the security bases, from defining a security policy, to conducting risk assessment, to selecting control objectives, and controls to be implemented. The detailed specification provides the organization with the most efficient plan of action in taking preventive measures, since it also requires cooperation within and throughout all sections of the organization.
Are all ISO certifications the same?
According to the ISO 27001 system’s documentation, “ISO 27001 is the only certifiable security governance standard.” Customers should look specifically for the ISO 27001 certification, since other programs do not necessarily provide assurance of an organization’s information security standards or processes. ISO 27001 provides a guideline of controls which include risk assessment, asset management and control, business continuity management, and compliance. Depending on its risks, an organization is required to apply the corresponding controls. Not all ISO 27001 certifications are the same. You’ll want to make sure that your vendor has included all applicable controls and has a well-documented and implemented information security management system for both its technology and organization, including: Product Engineering, Operations, Information Systems & Technology, Human Resources, Facilities, Finance and Administration, Legal, Security Quality Compliance and Global Support Services.
ISO 27001 certification provides invaluable security to your organization through its thorough evaluation of asset and risk management, making it an ideal criteria for you to evaluate when choosing a provider to trust with your organization’s most precious assets, its information.
Ken MacCuish is the Senior Vice President & Chief Information Security Officer at Intralinks. Previously, he was Global Head of Information Security, CISSP at Bain Capital. As a Certified Information Systems Security Professional (CISSP), he has proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage an overall information security program to protect organizations from growing sophisticated attacks.