ISO 27001: Trust is good, certification is better
IT security and data protection are fundamental cornerstones for every cloud provider. But how do companies know that what is promised on the website is true? This is where certification authorities come in, checking and certifying the facts. Examples of particularly relevant certifications in the industry are ISO 27001, one of the most important international IT security certifications, ISO 27018, the data protection standard for cloud services, and the Trusted Cloud label, which aims to create transparency and trust in cloud technologies.
The responsibility of cloud providers
IT security should have a high priority in every company. But this is especially true for cloud providers. Here, security problems affect not only their own business, but also the business of the companies that use the cloud service. Their customers and partners can also be affected as a result.
In addition, if IT systems and IT processes are poorly set up, the availability of the cloud services offered cannot be relied on properly. And any impairment of cloud services naturally has an impact on their users. A well thought-out and consistent IT infrastructure, on the other hand, reduces failure risks and potential follow-up costs.
Cloud providers therefore bear a high level of responsibility when dealing with their own processes and their customers’ data. They must build processes consistently, store data securely and protect the IT infrastructure against attacks. So there are many good reasons for companies to take a close look at providers.
But how can companies be sure that the provider delivers what it promises? They can take a look at customer references, for example. They can research whether there have been problems in the past and if so, how they were solved. They can rely on the reputation, and sound trust is good too, but certification is better.
To obtain this certification, cloud vendors have their information security management checked by external experts. This independent third-party testimony gives companies confidence in their choice of provider.
The importance of ISO 27001
ISO 27001 is the internationally leading standard for information security management systems (ISMS). In 2005 it was published internationally for the first time and in 2007 as DIN standard in German translation, and since then it has been updated again and again. Worldwide recognition is important, since cloud providers also offer their services mostly across borders.
This standard sets requirements for the establishment, implementation, maintenance and continuous improvement of a documented information security management system. These requirements vary depending on the structure and objectives of an organization, thus enabling flexible adaptation to specific business realities.
A risk management on the cutting edge
A balance of optimal use and optimal protection of data is aimed at. The integrity of the overall system is to be ensured, business secrets protected and work processes safeguarded from disruption. The approach is to identify and solve problems before security gaps occur.
The inventory of data, processes and hardware is determined, priorities are identified and made transparent, and the question is answered which data or processes are particularly sensitive and business-relevant and therefore require special protection.
Central to success is that not only the IT department deals with information security, but the entire company, i.e. all hierarchical levels and all departments are part of the process. Everyone must be involved, especially all areas of management.
It is also important to train employees and to create and practice emergency plans. Responsibilities should be clear and everyone should know what to do.
ISO 27001 also requires recurring checks by internal auditors to identify risks and optimize monitoring and protection measures. Thus, the IT infrastructure certified in this way is also prepared for previously unknown threats.
If a hacker should ever manage to overcome the security measures, the certified company is so well prepared that it can react quickly and contain the damage quickly by means of practiced procedures.
What ISO 27001 certification guarantees
The company …
- meets the requirements and objectives of information security.
- has developed a cost-efficient security risk management system.
- has a clear guideline for planning, implementation, monitoring and improvement of information security.
- complies with laws and regulations.
- has the necessary competencies in the area of IT security.
Being certified means that the IT infrastructure has been tested and found to be resilient so that risks such as data loss, information misuse, cloud service failure or disruption of business activities are minimized. The security of data and systems is taken seriously. Not only on the website, but throughout the entire company.
OTHER IMPORTANT CERTIFICATIONS
ISO/IEC 27018
This standard defines a data protection standard for cloud services that specifically addresses the data protection requirements for cloud computing. It examines what protective measures the cloud provider has taken for personal data.
Certification means that legal requirements have been met and security risks minimized, and that a high level of data security and data protection is in place.
Trusted Cloud
Trusted Cloud is a label for cloud services on the German market awarded by the “Kompetenznetzwerk Trusted Cloud e.V.”. This is actively supported by the Federal Ministry of Economics Affairs and Energy. Its members include the Bundesverband IT-Mittelstand, the Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e. V. (Bitkom) and the Fraunhofer Society.
In addition to questions of IT security and data protection, Trusted Cloud also looks at other criteria relevant to cloud users, such as contractual conditions or the location of the data center. It is intended to give users the assurance that the certified cloud offerings meet the requirements of transparency, security, quality and legal conformity.