We are often asked to make sure we source servers or products from companies that are ISO27001 (or ISO9001) certified. While it’s good to have a stamp to prove that a company has attained a level of standard I feel there is often confusion over what this certification means.
Luckily, Alec Muffett, a friend of mine wrote a lovely piece on his blog about Google receiving ISO27001 certification for their Google Apps products…
ISO27001 is good to see stamped upon a vendor’s product and business processes – however it is emphatically not a “seal of security approval” – not at all.
The promise of 27001 certification is that a vendor has considered and documented various security risks and threats which would impact their offering – and has established a process to continue this in an ongoing fashion – and then has had the documentation of that understanding cross-checked and validated by an external agency.
In sporting metaphor: a vendor (in this case, Google) gets to design their own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it; and then they jump over it and the certification agency simply attests that they have successfully performed a high-jump over a bar of their own design. The design documents and jump technique do not need to be made public.
So what would be really interesting would be if Google publishes their security requirements, their standards, their policies and risk assessments, so everyone else can see what kind of high-jump they have just performed – how high, how hard, and landing upon what kind of mat?
It would be that which would inform me of how far I would trust Google Apps with sensitive data, most especially with regard to the provisions they must make for “lawful access” to data by government actors.
Dogsbody Technology helps you cut through all the layers of sourcing new infrastructure. Talk to us to find out how.