More and more companies and public institutions store business-sensitive data in the cloud. Therefore, these organizations have a clear need for certain standards ensuring a minimum service level. We provide our customers with this guarantee through our various certifications.
ISO 27001 is the most common used security management certification outside of the United States. It consists of 133 controls and is applicable to the apparatus of the whole Information Security Management System.
In the Statement of Applicability (SOA), certified organizations can determine which controls are applicable to them. We have implemented the most comprehensive version of the ISO 27001:2013 certification, namely all 133 controls.
The certificate, the Statement of Applicability and the audit report are freely available for inspection.
The healthcare industry processes and stores important medical and patient data. To ensure that your medical data is stored securely, the NEN (Dutch Standards Institute) has created the NEN 7510 security standard. We implemented the NEN 7510 simultaneously with ISO 27001 and both have been audited.
Besides the fact that we are one of the official NEN partners, we also take seat in the NEN commission for cloud computing: Distributed Application Platforms and Servers (DAPS). This commission deals with a new ISO standard for the cloud; ISO 27017. In addition, the commission is concerned with the Dutch Code of Practice Cloud Computing. Our CloudControls are used as the basis for the risks and controls.
Cloud Certification: the CloudControls
ISO 27001 and NEN 7510 relate to data security. However, there are other factors to think about when using cloud services. The outsourcing element of the cloud plays an important role. A layer of your infrastructure is purchased from a third party, resulting in additional elements to be covered. Think about preventing lock-in risks, or guaranteeing that information about the fulfilment of the service level agreement will be provided, for example.
Another factor inherent in a public cloud is multitenancy. This relates to uncertainties when sharing an infrastructure with multiple customers. To manage these outsourcing and multitenancy risks, we have developed CloudControls together with KPMG and other companies. CloudControls consists of 44 controls which can be audited independently or as an appendix to ISO 27001. The overview below covers the different categories with examples.
Risks, questions and controls
We like to share information related to the CloudControls.
We offer a spreadsheet that contains a list of cloud- related risks together with the questions that you should definitely ask your cloud provider. The CloudControls themselves are also included.
|Control Group||Control Sub Group||Short Control||Control|
|Multi-Tenancy||Multi-Tenancy||Isolation failure risk||
Isolation failure risk in virtualization technology and storage is frequently reviewed and is managed to a minimum.
|Outsourcing||Management Information and Control||Portability of services||Short term contracts are possible, customer virtual assets are exportable and transportable in an industry-accepted format. Sufficient access to the environment or data will be granted in order to implement migration.|
|Outsourcing||Legal Process||Data location and applicable jurisdictions||Customer can determine jurisdiction where data is stored. It should be communicated which governments and jurisdictions can lay claim to a customers' data.|
Informatie over resiliency
|Disaster recovery plans and availability enhancing measures should be shared with customers when relevant.|
|Outsourcing||Security Process||Customer vulnerability assessment||Cloud provider should provide the possibility for vulnerability assessment by customers.|
|Outsourcing||Operational Process||Information on degraded services||Outage reporting: If service was interrupted or degraded a detailed report will be provided on the reason and mitigation measures if relevant.|
|Outsourcing||Interfacing with the Service||Customer payment data||Sensitive customer data is encrypted. Measures are implemented to prevent storage and visibility of sensitive financial information.|