The year was 1946. Experts from 25 nations convened in London to talk about the breathtakingly pragmatic topic of international standardization. Professionals from myriad fields were getting together to figure out how a common language of quality control, related to how products were manufactured and services provided, could be spoken across continents with ease.
Many people yawn when the topic of compliance is introduced (due to its often dense technicality, its obsessive exactitude related to clarity of specifications, its perception as a snooze-worthy topic, its connection to federal regulations, etc.). Because many view compliance with boredom or indifference, it may be seen as unimportant, but we’re going to take a moment to appreciate how helpful compliance is.
The professionals who together founded the International Organization for Standardization (ISO) had a vision. They wanted to make it easier for people to know what they were getting when they went into business with other organizations or wanted to be the customer of a business. The ISO, put together by dozens of thoughtful, handshaking men in suits (well, it was 1946), offered a way for people to not have to take another company for its word but to get an objective reading. The ISO, through certification that can be completed by a third party to verify compliance with a specific standard, allows a way to externalize and, well, standardize, B2B trade, vendor relationships, and filtration of products and services by savvy customers.
What is ISO 27001 or ISO/EIC 27001?
One of the most important standards in use that was created and remains in ongoing development by the standards body is ISO 27001. The most up-to-date version of this standard, as of this writing, is ISO 27001:2013.
The full official title of the standard is currently not the snappy “ISO 27001” but ISO/EIC 27001:2013. The IEC is a separate standards institution, the International Electrotechnical Commission: it develops ISO 27001 in partnership with the ISO.
Actually, the IEC does numerous standards in conjunction with the ISO. The technical committees and subcommittees at the International Electrotechnical Commission (IEC) interact with one another – facilitated, actually, through the top levels, the office of each association’s CEO. The collaboration between these two standards organizations is so tight that they even let each other know when they come up with an idea for a new standard so that they do not perform the same work redundantly. The two associations are a check and balance for each other in a sense, but they align their work, showing their commitment to standardized protocols and operations over promoting their own specific organization.
ISO 27001, in brief
This standard was initiated to create reasonable parameters for the setup, deployment, maintenance, and ongoing enhancement of a system with which to analyze an information security management system (ISMS; a set of policies and procedures that allow an organization to meaningfully and systematically handle confidential and potentially critical data.
When a company puts together an ISMS, it is a sophisticated process that is not one-size-fits-all. The management system will be driven heavily by dynamic factors that change case-by-case but also as time passes: the goals of the firm, the concerns with compromise, and the operations of the entity, as well as the way it is structured and how large it is.
The ISMS keeps the data within an IT system or systems private (confidentiality), accurate (integrity), and highly retrievable (availability) through a series of straightforward risk management steps. It should generally lend a sense that the company is paying attention to the evolving threat landscape and putting appropriate protections into place.
How ISO 27001 relates to cloud and dedicated hosting environments
ISO 27001 is a broad set of guidelines that are intended as all-encompassing for IT systems, which would include hosting environments such as dedicated and cloud, as well as your own data center.
ISO/IEC 27001 is within the ISO/IEC 27000 series. The series is “probably the most widely recognized and used set of standards relating the security of ICT (Information and Communication Technology) systems,” according to the nonprofit Cloud Standards Customer Council (CSCC). The CSCC notes that 27001 and 27002 are the two key standards, with the former a way to check off how an ISMS should be designed and the latter an overview of proper best-practice controls on an ISMS.
It should be noted that ISO 27001, for better and worse, is somewhat flexible in the sense that different types of companies (based on size, form, etc.) will have different security needs. Essentially, what that means for cloud customers is that the service provider is able to find the security controls that are most helpful to their individual situation. While flexibility can be good in the sense that parameters remain reasonable and pragmatic, it does mean that testing for compliance can be more challenging than some standards that are more rigid, simply to determine whether the cloud service provider is compliant or not.
The same basic idea applies to any type of web host: cloud or dedicated. It is simply a question of incorporating the servers within your hosting environments into your management system.
Understanding core processes for ISMS development
One element that you will want to consider when you look at hosts is the ways in which they are involved with your primary ISMS processes. Part of the challenge here, immediately, is the same issue listed by the cloud association above: every organization is different, so the standard is a bit fluid.
Researchers from Germany and Norway, Knut Haufe et al., tackled this issue in Procedia Computer Science in 2016 with a set of descriptions related to three types of processes:
- Core processes – These processes, sourced from the knowledge of the company, have seeming and real value to users.
- Management processes – These processes shape and describe the goals of the entity and oversee the attainment of goals both at a core-process level and related to the full organization.
- Supporting processes – These processes do not have value to customers or users in and of themselves. Instead, they are tasked with administration and monitoring of resources that allow both management and core processes to take place. Examples include IT management, financial management, and human resources.
How does ISO 27001 relate to PCI DSS?
People often wonder how these various sets of standards are interrelated. One standard that, like ISO/IEC 27001, focuses on information security is PCI DSS. PCI compliance, of great importance related to taking card payments online, has the full name Payment Card Industry Data Security Standard. PCI DSS is developed by a consortium of the major credit card companies and designed to protect online transactions. It gives you a better sense that specific parameters are in place for specific data (cardholder data), while ISO 27001 is broader in what it covers. “When comparing the scope of the two standards, scope selection in ISO/IEC 27001 depends on the company; however, the scope is exactly the credit cardholder information in PCI DSS,” notes the ISACA (Information Systems Audit and Control Association).
ISO/EIC 27001:2017: Is it real?
To clarify the year version related to ISO 27001, you may have heard of ISO/EIC 27001: 2017. If you have not updated from the 2013 to 2017 version of 27001, do not fear. These two standards are the same thing. That’s right: the European Committee for Standardization (CEN), a European Union body for public standards, caused some confusion in standardization circles earlier this year by releasing EN ISO/IEC 27001:2017. Following this release, a nation-specific standard was issued in the UK (BSI), Norway (NEK), and Italy (UNI) that also listed the new 2017 version year.
Note that this standard is essentially identical to the original, with two minor corrections that were added in 2014 and 2015.
This topic is discussed aptly by Italian ISO 27001 compliance consultant Cesare Gallotti. “CEN adopted ISO/IEC 27001:2013 only in January 2017,” wrote Gallotti. “So its publishing date is… 2017. So its name is EN ISO/IEC 27001:2017 (with “EN” at the beginning).”
While compliance can be stressful and confusing, it is also a way to know what you are getting from a cloud or dedicated host. ISO 27001 is just one way to review an organization’s IT systems, though. At Atlantic.Net, we specialize in Managed HIPAA Hosting and hold numerous compliance certifications, such as SSAE (SOC 1 & SOC 2), HIPAA, HITECH, and PCI DSS. See our stability and cost advantage.