More and more organizations are looking to move to cloud to benefit from scalability, cost reduction and the ability to launch new service offerings fast. The dynamic nature of cloud however necessitates security and compliance controls that frankly can be daunting. Issues around mobility and multi-tenancy, identity and access management, data protection and incident response and assessment all need to be addressed.
And with multiple modes – SaaS, PaaS, IaaS, public, private, hybrid – creating added complexity in how security and compliance is carried out and by whom, this can lead IT leaders to think twice about leveraging cloud. Organisations already in the processes of implementing ISO 27001 to audit and report on the state of controls within their environment will know the immense amount of work required. However, while addressing compliance in the cloud is undoubtedly tough, it doesn’t have to be an obstacle.
What is ISO 27001 and why is it important?
ISO 27001 is a widely adopted global security standard and framework that sets out requirements and best practices for a comprehensive approach to managing company and customer information. Proving IT security practices is an important element of achieving ISO 27001. The business benefits of ISO 27001 certification are many. ISO 27001 is an effective way to reduce the risk of your organisation suffering a data breach, satisfies audit requirements and establishes trust both internally and externally that security controls are properly managed, providing customers with greater confidence in doing business with you.
What does it take to implement ISO 27001 successfully?
As companies race to combat security threats and address evolving compliance requirements they often struggle to implement and demonstrate the consistent security management that is core to ISO 27001. ISO 27001 is not for the feint of heart and does require significant organisational commitment.
Here are six key recommendations to help you achieve successful accreditation and maintain compliance in the cloud with ISO ISO27001:
- Engage with senior management from the outset and work with your leaders to drive standards. Buy-in is essential - and it’s not just directors and VPs - CFOs, CEOs and business owners all need to be on board. Clear communication from the top is key as the whole organisation will need to align to make the initiative a success.
- Review the standards that need to be put in place – think beyond process. Many organisations will attempt to put policies and procedures in place without realising that cultural changes need to happen to make those policies and procedures stick. Without the proper alignment it can be difficult to make the changes needed to achieve on-going compliance.
- Perform a gap analysis to understand any deficiencies. Conduct an honest assessment of where you are today and where the organisation needs to get to.
- Aggressively work to educate your employees. Put a plan in place and communicate with staff that ISO is a full organisation activity and is in everyone’s job description going forward. It’s not a one off.
- Always be cognitive of risk. The organisation needs to objectively evaluate all levels of risk as you go through the process, including the risk that you generate yourself. A successful outcome is dependent on this and may well change the way you operate and structure your services.
- Document, document, document. As you go through you’ll find that there are many pieces that need to be secured be that patching, remediation of events or incident controls. If you don’t leave a record it becomes difficult to prove the path you took to compliance. Your customers will also want to know what you’ve been doing and how you’ve been doing it.
How to ensure your cloud service provider supports ISO compliance
When working with third party cloud providers it’s your responsibility to ensure that all parties involved are compliant. Don’t just take a certificate at face value, you must validate an organisation’s claims when reviewing their ISO certifications, otherwise you are putting your organisation at risk.
Questions to ask include: What does the certification actually cover in terms of services and geo-locations? Is the certification for the entire company or only a segment of their operation? Who issued the certification and do they have an online database for validation? Is the issuer accredited to issue an ISO certification? Is the vendor willing to show you the auditor report behind the certification?
With the right people, processes and technology in place, IT leaders can actually leverage cloud service providers to help achieve ISO 27001 compliance – even more easily than they could achieve it with on-premise infrastructure. IT needs to ensure their cloud service provider has the security capability in place as well as the compliance reporting capabilities and, even more importantly, the willingness to help them maintain ISO compliance for their cloud workloads.
In conclusion, organisations should care a great deal about ISO compliance in the cloud and ensure their partners and providers care as well. ISO compliance in the cloud doesn’t have to be a nightmare, but you do need to approach the process with the level of rigour that the standard demands.
Frank Krieger is director of Compliance at iland, a company which provides cloud, colocation and disaster recovery services.