We’re very excited to announce that each of our five data centers as well as our headquarters are officially certified as ISO 27001 compliant! We received the good news from our auditors this month. The entire process took about four months–much faster than we or our auditors expected.
What is ISO 27001
What’s so special about this? What is ISO 27001, anyway?
Well, ISO 27001 is one in a set of standards that specifically outlines the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. There are about a dozen standards in the ISO 27000 family, but 27001 is what’s known as a management standard–meaning you can be certified against it.
There are 14 specific controls the ISMS must meet in order to be certified as compliant, listed below:
- ISMS scope
- Information security policy
- Information risk assessment process
- Information risk treatment process
- Information security objectives
- Evidence of the competence of the people working in information security
- Other ISMS-related documents deemed necessary by the organization (optional?)
- Operational planning and control documents
- Results of information risk assessments
- Decisions regarding information risk treatment
- Evidence of monitoring and measurement of information security
- ISMS internal audit program and its results
- Evidence of top management reviews of ISMS
- Evidence of nonconformities identified and corrective actions arising
We are very pleased that we have passed each of these controls with no exceptions, meaning the auditor had no suggestions for improvement to meet the standard. We firmly believe in a company-wide culture of compliance, and it’s rewarding to see that culture reflected by way of our successful audit(s)!