Why Your Data Center Needs to be ISO/IEC 27001:2013 Compliant
By: Rob Morris on July 30, 2019
Compliance needs are an important consideration when evaluating a colocation facility. What certificates or attestations a data center has obtained is telling of that provider's management philosophy. Having an ISO 27001 certificate proves that the provider has focused on the security of the information it controls and processes, including their customer and client information. A quality colocation data center should have a variety of certificates and attestations that indicate what compliance standards the facility meets.
One of the most important compliance standards to look for is ISO/IEC 27001:2013, which is often referred to by the shorthand of ISO 27001. This certificate demonstrates that the facility’s policies and procedures have been tested and satisfy standards that ensure Confidentiality, Integrity, and Availability (C, I, & A) of data. The specificity of the processes and security controls implemented help to distinguish a premier data center from facilities that only meet the minimum requirements.
What is ISO/IEC 27001:2013?
The ISO 27001 standard that evaluates risk to an information asset. An asset can be defined in many ways, including (but not limited to) personnel, an IT asset (system), process, and intellectual property. Risk is the potential harm that could be caused versus the probability of occurrence. Controls (policies, processes, and procedures) are implemented to mitigate the probability of an incident occurring that causes harm. The standard itself was developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Originally adopted in 2005 from a previous set of risk management standards (BS 7799 Part 2), ISO 27001 was extensively revised in 2013 to align its provisions with other ISO standards.
Receiving an ISO 27001 certificate demonstrates that a company has implemented security best practices for protecting information and managing risk. For data centers, it also shows potential colocation customers that the facility is committed to meeting the demanding high levels of information security.
ISO 27001 Requirements
To achieve ISO 27001 certificate, a facility must prove, through documented evidence disclosure to an independent certified auditor, that it has implemented a functioning Information Security Management System (ISMS), a set of interconnected policies that manage information risks. While an organization doesn’t have to adopt a specific set of security controls, it must demonstrate that its ISMS is able to adequately identify, analyze, and address risks associated with Information Assets.
This flexibility is in place because ISO 27001 applies to a wide range of industries, all with different potential security risks. Like many other compliance standards, ISO 27001 is focused on processes and procedures, assessing whether or not an organization will be capable of identifying risks and managing them adequately in order to safeguard the integrity of sensitive information. This includes an evaluation of the organization’s needs, the role and responsiveness of leadership, the ability to plan for risk, the support systems in place to manage risk, the documentation standards for reporting, and monitoring controls for assessing performance and making improvements.
ISO 27001 Certification Process
When an organization seeks to obtain an ISO 27001 certificate, it must begin with an internal audit. During this process, the ISMS is reviewed thoroughly and various assessments are conducted to ensure that information management is in accordance with best practices and is functioning as intended, as well as the areas not performing or in need of corrective action to bring them into alignment. After this required internal audit is completed, an external audit is conducted by an ISO 27001 auditor independently accredited by ISO.org with authority to issue certificates.
Phase 1 (ISMS Management & Documentation): The auditor evaluates the entire program, assessing the effectiveness of ISMS structures, policies, procedures, and processes as well as the organization’s level of commitment to the program.
Phase 2 (On-Site Surveillance & Evidence of Performance): Every facility is inspected and toured for evidence of the policy, procedures, and processes of the ISMS are being performed and followed.
Phase 3 (Oversight of Deficiency, Corrective Actions, & Follow-UP Reviews): The auditor returns at a later date to ensure that any necessary corrective actions are properly managed to completion. Before a certificate can be issued, the auditor must be satisfied that the resulting actions have closed the deficiency.
Once completed, ISO 27001 audits must be performed annually to renew the certificate.
Maintaining information security is one of the most important concerns for today’s organizations. By partnering with a colocation data center that adopts a lifestyle of ISO/IEC 27001:2013 standards, they can rest easy knowing that the facility has already implemented best practices for identifying and managing risks when it comes to protecting vital data. When combined with other compliance certificates and attestations, such as HIPAA and SSAE 18, an ISO 27001 certificate demonstrates that colocation providers have the ability to safeguard the information that is vital to business success.
About Rob Morris
Rob Morris is the Director of Program Management and the ISMS Manager. Rob chairs the vXchnge Information Security Council and manages the compliance campaigns and is our customer liaison.
Subscribe to vXchnge Blog
Speak to an Expert About Your Company's Specific Data Center Needs