About Jimmy

James 'Jimmy' Blake is the Chief Security Officer for Mimecast,  a leading cloud services company based in London.  James has overall responsibility for risk management for the organisation's internal IT infrastructure and service delivery platforms spread across four continents.  James also manages the security of platforms deployed within partners such as Cable & Wireless and Iron Mountain.

James is also one of the founders of eyeCompli, a company providing Software-as-a-Service standards-based risk assessment and security program management solutions.

He holds a PhD in Information Security Management and is a Certified Information Security Systems Professional. James has nearly two decades of commercial experience in information security, business continuity and storage.

James has a love of loud Harley Davidson motorcycles, real ale, role playing games and even louder heavy metal.  He lives in rural Kent with his partner, Sonia, and stepson, Rafael.

Follow Jimmy
Search

« ISO 27001 - roles and responsibilities | Main | Mathematical formula for perfect parking »
Monday
Feb082010

ISO 27001 - due diligence on cloud vendors

DateMonday, February 8, 2010 at 12:22PM

As I am preparing our company for ISO 27001 certification I am spending a lot of time answering due diligence questions from customers about which of the 133 ISO controls we have in place. 

The most concerning thing is the first question on all of these questionaires - "Are you ISO 27001 certified? (if so include certificate, skip to end, sign and return)".  This would indicate that most prospects think their data is safe with a cloud vendor that is ISO 27001 certified, they couldn't be more wrong.

Trying to implement ISO 27001 using ISO 27002 controls well within a Software-as-a-Service company isn't easy - trust me, I've spent the best part of a year working on it.  Most controls have at least two owners - one for internal systems and one for the production environment.  Much of the ISO 27002 guidance is based around internal systems with limited access, not around multi-tenant service platforms with hundreds-of-thousands of subscribers.  ISO auditors are also not used to auditing such environments, leading to a much more iterative process.

There seems, on the face of it, to be managed service and Software-as-a-Service providers who are ISO 27001 certified, but you have to dig a bit deeper to understand how they've managed it.  This is normally through one of two methods:

  1. Limiting the scope of the ISMS to not include production platforms; or
  2. Increasing the level of acceptable risk to reduce the amount of controls required.

Neither of these does the customer any favours.  One of our major competitors only includes their HR and Finance processes in the scope of their ISMS - not very reassuring.

I've really made my life difficult for myself, we have put our production platforms into scope, as well as all internal systems.  In addition we've chosen a risk treatment plan that includes 128 of the 133 possible ISO 27002 controls (the other 5 were out of scope as we don't conduct ecommerce or outsource development).  By increasing my workload ultimately delivers better security to our customers - and delivery to customers is what Software-as-a-Service is all about. 

Ultimately a customer's security is only as good as the security of the cloud vendors they use for handling critical outsourced business functions.  Prospects need to get wise and make all vendors state the scope and nature of their controls, it increases our workload but those who've taken the time to align the security of their platform and operations to their customers will win.

AuthorJimmy Blake | CommentPost a Comment |
tagged , in , , ,

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.