You’ve probably heard a lot of hosting companies talk about ISO 27001. Many people in the tech industry have heard of it, many understand it’s a security thing and it’s a box ticked for the procurement and IT departments, but that’s probably as far as most people’s knowledge stretches. But how do you know if a company is really ISO 27001 compliant? And what does it even mean? Greg Harvey, a British Standards Institute trained ISO 27001 internal auditor, explains all.
What is an ISO anyway?
Well, ISO stands for the International Organization for Standardization and they do pretty much what it says on the tin. They write standards that organisations around the world can use as the basis for a management framework to run themselves more effectively and in a way that is globally familiar.
Standardisation in management is the same as standardisation in coding: if everyone does things in the same agreed way then organisations speak the same language when they interact, they can have confidence their partners and/or suppliers have comparable systems to their own in place, that they’re working in the same way, and so on. There are literally thousands of ISOs you can implement in your organisation, covering quality assurance, service delivery, environmental impact, security, building usage, people management, etc.
Code Enigma has two ISO certifications covering our development, support and hosting services: ISO 9001 and ISO 27001, quality management and information security management respectively.
Do ISOs expire?
Absolutely they do. ISOs are revised every 8 years and adjusted to be more fit for purpose; as the world changes so do the standards. They evolve with technology, best practice, political evolutions, all manner of external influences. They must evolve to keep step and stay relevant in the ever-changing landscape of international business.
An ISO is typically valid for 10 years, and each ISO standard has a suffix for the year it was released. For example, there are currently two ISO 27001 standards in play, ISO 27001:2005 and ISO 27001:2013. However, ISO 27001:2005 expires this year (2015) and will no longer be valid, so any organisations compliant with 27001:2005 must ensure they are compliant with 27001:2013 by the end of this year. Similarly 2013 compliance will be relevant until 2023, but there will be a new 27001:2021 in, well, 2021 obviously! And this will supercede 27001:2013, and so on.
Again, Code Enigma is compliant with ISO 9001:2008 and ISO 27001:2013.
What does ISO compliance mean?
Anyone can declare themselves ISO compliant. It’s a set of open standards, you can purchase the controls and implement the ISO yourself. Of course, declaring your organisation ISO compliant without any external checking is a bit like a restaurant claiming to have the cleanest kitchen in Barcelona without ever having had a visit from the health and safety inspectorate. They might be compliant, but you wouldn’t really want to eat there unless you’d either seen the kitchen, or you knew a health and safety inspector had checked it out, right?
Code Enigma are not just ISO compliant. We are ISO certified.
How does ISO certification work?
Only a select number of organisations are permitted to approve and certify an organisation as ISO compliant, and in order to be certified, you need to be audited by an approved organisation. Complicated stuff!
In the UK there is a body appointed by the British government responsible for all formal accreditations, certifications, testing and callibrations called the United Kingdom Accreditation Service (UKAS). UKAS is responsible for accrediting the accreditors. If you want to be a recognised ISO certifying body, you must submit yourself to inspection by UKAS, who will officially give you permission to issue certificates of compliance to the ISOs you are qualified to audit. Our auditors, the British Standards Institute, are certified by UKAS to issue certificates to people like us, after a thorough inspection.
So when we say we are ISO certified, we say that because every 12 months experts from the British Standards Institute take our business processes apart (that’s our business processes, not the processes of our partners and supporting services - more on that later) and make sure we are running them effectively and inline with the ISO standards we signed up for. This is a very beneficial process, but it is lengthy, expensive and continuous. That’s why many organisations choose not to certify: this is not easy stuff, and the larger the organisation, the harder it is, especially if they didn’t have standardised frameworks baked in from the start.
OK, tell me more about ISO 27001 specifically
ISO 27001 is all about information security. The purpose of the standard is to help organisations build a management framework (typically called an Information Security Management System) to ensure they protect any information they handle, from post-it notes on desks right through to customer databases on servers. It does this by examining three key objectives: confidentiality, integrity and availability.
Confidentiality is whether the information is vulnerable to theft or copy. Integrity is whether the information is adequately protected from destruction, damage, and so on. Availability is whether the information is available to the people who need it, when they need it. Everything hinges on an organisation identifying its information sources (assets) and ensuring those assets are appropriately meeting the three objectives, known as the CIA triad.
To help you ensure you’re managing your assets effectively, the standard contains a large set of requirements, called controls, that basically act as a comprehensive checklist for operational information security. The latest standard, 27001:2013, consists of 114 individual controls that an organisation seeking compliance must either rule out of scope (for example, Code Enigma doesn’t really care about loading bay security) or have policy and procedure in place and be able to evidence you satisfy that control.
Here’s an example of a control:
9.1 Monitoring, measurement, analysis and evaluation
The organization shall evaluate the information security performance and the effectiveness of the information security management system.
That’s just one of the controls but it gives you a feel for the kind of things organisations need to cover (or at least explain why they don’t need to) in order satisfy ISO 27001 compliance and, more importantly, certification by an auditor. Some of them are quite broad, like the one above. Others are really specific, like having documented coding standards to ensure code security or ensuring you adequately background check any freelancers you take on.
(If you want to read all the controls you can buy the standard from the BSI - or indeed other organisations authorised to sell a copy. You can also buy the ISO 27002 document from BSI, which is a very useful implementation guide that I strongly advise you get hold of if you are seriously interested in learning more about implementing ISO 27001.)
My hosting company says their underlying infrastructure provider are ISO 27001 compliant, therefore they are too. Is this correct?
Absolutely not. To quote my colleague Joeri, saying you are ISO compliant because your platform provider is, is a bit like saying your car is safe because the road it’s rolling on is certified. There’s a whole lot of stuff that can go wrong above the surface of the road, that’s why most countries kinda like to check the cars too, right?
Same goes for ISO 27001. It’s no good being on a secure, certified platform if you’re building a control panel on top of that that is not certified, therefore there’s no guarantee whatsoever the software in the middle is secure, nor is there any guarantee data handling procedures are sane and adhered to, nor is there any guarantee the organisation tracks its own threat and risk environment.
There’s a whole load of things organisations like Rackspace and Amazon are doing to run an effective information security management system, and that’s great, but if the organisation resting on top of those platforms isn’t doing the same…? Well it’s all for nought. Your security is only as strong as the weakest part of the chain.
So if your hosting company says they are ISO compliant, that’s usually a clever way of hiding the fact they are not ISO certified. Of course, if they are truly ISO compliant then they probably have a certificate of compliance from an approved body as well. And you should ask to see it. If they don’t have a certificate, but insist they are compliant, then you should, as a potential or actual customer, ask them to submit to an audit of the information security management system, either by a certifying body (with a view to gaining a certificate) or by a qualified external consultant. Because if your data really matters to you, you won’t want to take their word for it.
Just one more thing… What about scope?
Glad you asked! Scope is really important for ISO 27001. You will always find it on the certificate and it’s really important you read it. If you look at our scope statement it reads as follows:
The protection of confidentiality, integrity and availability of customer/ client data in the provision of Drupal consultancy, design and development, as well as specialist PHP hosting and support, primarily from the Head Office in London and remotely from across the world. This is in accordance with the Statement of Applicability, version 1.1, dated 19th September 2014.
So that’s pretty clear, right? It covers all our services, right through the line, so when BSI come to inspect us they look at everything.
But what if the scope statement for your hosting company reads like this?
The protection of confidentiality of all data transported via the Floor 1 post room of the Head Office in London. This is in accordance with the Statement of Applicability, version 1.1, dated 19th September 2014.
That’s a perfectly valid scope statement, and it might well accompany a perfectly valid ISO certificate. A certifying body will have come in and certified this organisation operates a secure post room on floor 1 of their London office, and issued a certificate. This organisation can now say “we are ISO 27001 certified” and it’s true, but the certification says absolutely nothing about the security of their hosting infrastructure!
So read the fine print, read the scope statement, make sure the certificate is relevant to the services you will be consuming.