As I am preparing our company for ISO 27001 certification I am spending a lot of time answering due diligence questions from customers about which of the 133 ISO controls we have in place.
The most concerning thing is the first question on all of these questionaires – “Are you ISO 27001 certified? (if so include certificate, skip to end, sign and return)”. This would indicate that most prospects think their data is safe with a cloud vendor that is ISO 27001 certified, they couldn’t be more wrong.
Trying to implement ISO 27001 using ISO 27002 controls well within a Software-as-a-Service company isn’t easy – trust me, I’ve spent the best part of a year working on it. Most controls have at least two owners – one for internal systems and one for the production environment. Much of the ISO 27002 guidance is based around internal systems with limited access, not around multi-tenant service platforms with hundreds-of-thousands of subscribers. ISO auditors are also not used to auditing such environments, leading to a much more iterative process.
There seems, on the face of it, to be managed service and Software-as-a-Service providers who are ISO 27001 certified, but you have to dig a bit deeper to understand how they’ve managed it. This is normally through one of two methods:
Limiting the scope of the ISMS to not include production platforms; or
Increasing the level of acceptable risk to reduce the amount of controls required.
Neither of these does the customer any favours. One of our major competitors only includes their HR and Finance processes in the scope of their ISMS – not very reassuring.
I’ve really made my life difficult for myself, we have put our production platforms into scope, as well as all internal systems. In addition we’ve chosen a risk treatment plan that includes 128 of the 133 possible ISO 27002 controls (the other 5 were out of scope as we don’t conduct ecommerce or outsource development). By increasing my workload ultimately delivers better security to our customers – and delivery to customers is what Software-as-a-Service is all about.
Ultimately a customer’s security is only as good as the security of the cloud vendors they use for handling critical outsourced business functions. Prospects need to get wise and make all vendors state the scope and nature of their controls, it increases our workload but those who’ve taken the time to align the security of their platform and operations to their customers will win.