ISO 27001 Demonstrating the security of Cloud Services in Your Data Centers
Leading Data Center providers demonstrate their commitment to providing robust information security measures that preserve the integrity of their customers’ sensitive information by using ISO 27001.
As a multi-tenant platform, you inherently ensure that each customer’s applications are protected and run in isolation from every other customer’s applications. You use encryption, strong password protection and validate outbound requests to customers’ applications. And of course, you follow industry best practices such as role-based access and regular backups of customer data. So isn’t it time you brought all this together in one scalable, adaptable and totally effective Information Security Management System (ISMS)?
Trust but verify, Security in the cloud is always a concern, but taking cloud security very seriously means demonstrating compliance with best practice for cloud security and global telecom connections. Using ISO 27001 (with or without the Cybersecurity Framework (CSF)) shows transparency about security policies, systems and operations.
Does your company comply with leading security policies and frameworks, including SSAE 16, SOC2 and PCI DSS? Your world-class company needs a world-class Information Security Management System.
The ISO 27001 audit specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving a
documented Information Security Management System, taking into account the organization’s
overall business risks. A neutral, independent agency conducts the audit and
assesses the operation of a data center, as well as all available applications,
IT systems, processes and services provided by the organization’s employees and
contractors. A fully independent reassessment is carried out every year, and
surveillance audits which review a section of the ISMS are performed every 6
months.
ISO & FedRAMP
Don’t Put Your Cloud Security Cart Before Your ISO 27001 Horse
As businesses of all sizes rely more heavily on cloud and Software-as-a-Service (SaaS) solutions, cloud security architects are in short supply—and the demand and cost for that skill set are only going to escalate in the next few years. It seems unlikely to me that there will be enough security professionals with the right mix of skills and experience to effectively architect a secure move to the cloud for every organization that needs that service going forward.
At the same time, more and more companies are seeking ISO 27001 certification as a “seal of approval” to show prospects, clients and partners regarding their information security practices. Are there synergistic ways that ISO 27001 compliance can help businesses meet cloud security challenges?
I think the answer is “yes.” Here are three possible scenarios to consider if your business is moving key IT systems to the cloud and also moving toward ISO 27001 certification:
Leveraging an information security assessment firm like Pivot Point Security to help you build and implement an information security management system (ISMS) in alignment with ISO 27001 best practices could delay or even eliminate the need to hire a cloud security architect. This would save significant money while streamlining your move to the cloud.
Whether your business is already ISO 27001 compliant or is just starting the certification process, folding cloud security efforts into your ISMS or related development initiatives before your move to cloud will save you money by enabling you to combine the two projects into one.
Proper project scoping and objectives in alignment with ISO 27001 guidelines will help ensure that your cloud security is effectively architected, designed and tested to address the risks specific to your business both now and in the future.
In all the above cases, it’s important to tackle these issues in the proper order. ISO 27001 certification efforts represent the proverbial horse, and cloud security is the cart. Attempting to architect cloud security before you’ve addressed key information assurance issues around your on-premise IT puts you at a significant disadvantage from the get-go. Conversely, adopting ISO 27001 best practices will help your business prepare for any information security challenge, including those associated with leveraging cloud- and SaaS-based applications.
Ultimately you may still want to hire a cloud security architect to maximize your success in the cloud. But ISO 27001 certification efforts will ensure that he or she has the best possible foundation for success. The groundwork you lay with ISO 27001 will also help define and structure your cloud security plans, so you’ll know much more clearly what your new cloud security architect needs to accomplish.
How Government Cybersecurity Priorities & ISO 27001 Mix
National Cybersecurity Priorities Matching ISO 27001
Andy Purdy was the acting director of the National Cyber Security Division when George W. Bush was President of the United States. Now, Purdy is the Chief Cybersecurity Strategist at the Computer Sciences Corp.
In an interview with GovTech, Purdy shared the four cybersecurity priorities that he introduced to improve national cybersecurity.
| Four Priorities | ISO 27001 |
| Assess risk and prioritize measures to mitigate risks to government systems | Define ISMS Scope Risk Assessment Risk Treatment Plan Gap Assessment |
| Create cyber-preparedness protocols and situational awareness for critical infrastructure. | Develop A Prioritized Roadmap Execute the Plan |
| Delineate response actions. | Monitor the Environment Respond to Incidents Implement Continuous Improvement Principals |
| Continue research and development to ensure that everyone involved has the best actionable intelligence. | Pre-Certification Audit Certification Audit Surveillance Audit Triennial Audit Ongoing Internal Audits |
