Information security plays a critical role within CloudVPS: The security and protection of both your and our data is central to our mission. One measure that can be helpful to such a policy is the adoption of ISO27001, a standard in the same area of security.
We started our work implementing ISO27001 within CloudVPS in 2012, and received our certification at the beginning of 2013. This isn’t the end of it: Information security is a continuous process, not something you can check off a checklist and be done with. The standard recognizes this reality: Ever year, an auditor comes around to check whether we still perform up to the expectations set by the standard.
The standard itself is also moving target: It gets periodically updated to adopt to new challenges brought to light by the changing ICT landscape. The version of the standard that CloudVPS started out with was written in 2005, a time where, for instance, the concept of the Cloud was not on many people’s radars yet.
As a rule, this doesn’t have to be a problem; the standard allows room for extra measures to be introduced to acknowledge and mitigate risks that aren’t covered by the base standard. This is how we went about things: An extra set of measures was defined and published under the name ‘CloudControls’. This set was made an integral part of our standard.
New ISO27001 version
A new version of the standard was published in September, 2013. This updated version simplified a number of its elements, and improved on its overall structure. But the largest benefit for our situation is the way it asks for a clear definition of the context of an organisation. Where the old version saw information security primarily as an internal affair, the new version recognizes that it actually depends on a complex chain, where elements of this chain may be partially inside and partially outside of the company’s domain.
A good example is the dependency on the supply chain: When a vendor doesn’t follow up on a promised delivery, this could negatively affect the availability of information. For example: If there is no agreed upon process with vendors about replacement of broken hardware, there is a chance that systems may fail completely because no spares were available, in time or at all.
The context of the organisation also applies to information sharing: our customers generally want to have reliable, swift, and secure access to information on our side. It’s up to us to analyse what information this pertains to, how it should be shared, and how we can ensure that we restrict this information to the people with a need to know.
The old version of the standard did offer some anchor points for this, but this was all much more in the implicit domain, where the new version turned it into one of the central tenets.
So for the past year we have worked hard on the transition, resulting in a succesful audit, once again, at the beginning of this year. CloudVPS is now certified ISO27001:2013 and NEN7510-2011.
You can view the cloudcontrols as a separate set, and download them, on http://www.cloudcontrols.org/.
More information on ISO can be found on http://www.iso.eu/