News
BackCertified as per ISO 27001, 27017 and 27018
Information security is becoming increasingly important in public perception, and more and more cloud users want to be sure that their data is in good hands – this is where independent certificates such as ISO 27001 come into play. Having passed certification successfully, cloudscale.ch Ltd meets the need for certified information security. In the following we provide a brief insight into this important topic:
What ISO 27001, 27017 and 27018 actually are
Be it paper formats, light bulbs or food safety: often unnoticed and behind the scenes, standards ensure smooth operation in all areas of life. The standards of the ISO 27000 series are well-known in the field of information security, which encompasses not only the confidentiality of information but also its integrity and availability. Certifications according to these ISO standards do not apply to a specific product, but to a company or its management system which is designed to guarantee information security.
ISO/IEC 27001:2013 defines a set of 114 so-called controls and thus a list of requirements for all possible aspects of information security that have to be implemented. How this is done in concrete terms is up to the company – the standard gives enough leeway so that organizations of all sizes and industries can implement it. As a public cloud provider, we have therefore implemented the standard with a corresponding focus on Infrastructure-as-a-Service (IaaS).
In our case it was evident to implement two more standards at the same time: In contrast to ISO 27001 which is universally applicable, ISO 27017 deals specifically with cloud services and defines a number of additional controls that are relevant for cloud providers and users. ISO 27018 in turn is about the protection of personally identifiable information (PII) in public clouds – a topic that has received increased attention especially due to the EU GDPR. cloudscale.ch Ltd has also been audited successfully according to these two standards (ISO/IEC 27017:2015 and ISO/IEC 27018:2019).
You can find all certificates on our website or directly at:
- https://www.cloudscale.ch/en/iso-27001-certificate.pdf
- https://www.cloudscale.ch/en/iso-27017-27018-certificate.pdf
How our path to certification looked like
Looking back, we can state that the introduction of an Information Security Management System (ISMS) and its certification has not changed our daily work significantly. The security mindset has always been part of our DNA and most of our information security measures have already been in place for years. For quite some time however, it has become apparent that end-to-end certification of the entire supply chain is important to our customers. The decision for the official certification according to ISO 27001 was made about 1.5 years ago. Subsequently, we sought external know-how for this process.
The actual "ISO project" took off in spring 2018 with a series of workshops together with our consultant, Dieter Roth, and a set of templates for the ISMS. The hard work then followed when it came to adapting the generic documents to our reality (and, admittedly, a tiny bit in the opposite direction). After all, our documented ISMS needed to reflect the guidelines and processes that we consider appropriate for our daily work. Of course, it was an advantage that our data centers were already ISO 27001 certified, so we did not need to work out our own regulations in this area.
Finally, the certification audit – sort of an exam situation – was surprisingly pleasant. On three days, we had to answer an independent expert's questions and provide various evidences. We felt that the auditor from Swiss Safety Center understands our business, and it quickly became clear to him why we do things the way we do. We certainly had not dared to hope that not a single deviation would be found in the entire audit. All the more this result confirms our security culture, which has shaped our work right from the start.
Which next steps lie ahead of us
The initial certification is a long-awaited milestone and for many of our customers it is an affirmation for the trust that they put in us right from the start. However, one of the key requirements of the ISO/IEC 27000 standards is continuous improvement, which must be incorporated in the ISMS. Not only the security precautions, but also all processes have to be reviewed and developed over and over. Regular assessments are carried out in annual internal audits as well as in surveillance and recertification audits conducted by the certification authority every year.
Of course, the sense of security also affects all of our future projects. Examples include ramping up another Swiss data center site, which enables our customers to build geo-redundant setups ( availability), the migration of our Ceph cluster to BlueStore, which features integrated checksums ( integrity), and disk encryption of our storage servers ( confidentiality).
Information security has been a key concern of cloudscale.ch from the very beginning, and discussions with our customers confirm its importance time and again. It is not without pride that we see the successful certification according to ISO 27001, ISO 27017 and ISO 27018 as a recognition for our commitment and as a motivation to continue on our chosen path.
Signed and sealed,
Your cloudscale.ch team