News

Certified for another three years

cloudscale.ch Ltd.'s information security management system has been certified since 2019. We have always been tested in accordance with the ISO/IEC 27001 standard, which deals with "information security" in general and can be implemented by organizations of virtually any size and in virtually any sector, and in accordance with the ISO/IEC 27017 and ISO/IEC 27018 standards, which contain complementary controls for securing cloud services and protecting personal data in public clouds.

Certification is valid for three years and requires annual surveillance audits to maintain its validity. After our initial certification in 2019, we successfully achieved recertification for the first time in 2022 as well as passing a surveillance audit in each intervening year. This meant that recertification was due again in 2025 and we are delighted to have maintained our status seamlessly. The new certificate is valid until 2028 and also available for download.

The new ISO/IEC 27001:2022 standard

The recertification audit was even more comprehensive than usual this year. For the first time, we were tested in accordance with the new ISO/IEC 27001:2022 standard, which provides an even more integrated view of information security than the previously valid ISO/IEC 27001:2013 standard. The new standard prescribes 93 controls that must be taken into account and – unless there are valid reasons to the contrary – also implemented. Although the total number of controls is lower than before, no controls have been removed, but some of them have simply been reworded, streamlined and newly assigned to the categories "Organizational controls", "People controls", "Physical controls" and "Technological controls".

Completely new controls have also been added to the existing, in part reworded controls, for example with regard to "Business continuity" and "Configuration management". Here, once again, it paid off that information security has always been part of cloudscale's DNA. We had already covered many of the standard's new requirements in our day-to-day work. There were no changes in the two other cloud-specific standards (ISO/IEC 27017:2015 and ISO/IEC 27018:2019) whose controls were also tested in the audit.

Continuous improvement included

The unchanged main focus of the new version of the standard – and a given at cloudscale – is continuous improvement. The ISMS processes must be designed in such a way that weaknesses and potentials are identified and improvement measures implemented. This fits perfectly with the way we work at cloudscale and continuously improve information security (e.g. by means of automation, monitoring and redundancies). As a consequence, we can confidently look towards the surveillance audits coming our way during the period of validity of the certificate until 2028.

Every year we are also audited for our ISAE 3000 report, which is totally separate from "ISO". This is not a certification, but a test of specific controls that some customers, in particular in regulated sectors, require for their internal reporting in the case of outsourced processes. If required, we are happy to make this report available to such customers on request.

Audits are a test, which means they are more of an obligation than a pleasure. In this context, we would also like to thank our certification authority, Swiss Safety Center AG, for their support and constructive cooperation since our initial certification. It goes without saying that we are delighted that the seamless renewal of our ISO-27001 certification shows to the outside what really matters to us all year round: the security – comprehensively understood as confidentiality, integrity and availability – of your data.

International standards, Swiss care.
Your cloudscale team