ISO 27001 in a cloud world

Mimecast is preparing to go through our ISO 27001 certification at the moment and it struck me quite how different it is to certify as a cloud service vendor rather than as a traditional company.

Excuse my over simplification of the ISO 27001 process for those not involved in it, but effectively there are four stages:

1.      Define the organization’s acceptable risk

2.      Work out what risk the organization is exposed to

3.      Apply controls to reduce the residual risk to a level at or below the acceptable risk

4.      Rinse, repeat A common method is to conduct a risk assessment, perhaps using the methodology covered in ISO 27001’s sister publication ISO 27005,  and then apply controls to manage the identified risks from another sister publication ISO 27002.

Now an organization is normally free to choose whatever acceptable level of risk they feel the organization is able to bear.  Often a higher level of acceptable risk is what gives an organization a competitive advantage, allowing them to be nimble enough to take advantages that other, more risk adverse, organizations cannot.

In a traditional vendor this level of higher risk acceptance won’t normally impact on the customer – short of a leak of customer information, a continuity incident affecting the ability to support customers or too many incidents driving the company out of business.

In a cloud vendor this is very different – the vendor’s security is your security.  Rather than using the vendor’s equipment within your own environment, your data is used within the vendor’s environment and vendor’s equipment.  The vendor’s approach to security needs to reflect the sensitivity of the data the cloud vendor is processing or storing on your behalf.

The good news is that we are seeing a definite acknowledgement of this in the market.  When we receive RFI/RFPs from prospective customers they’ve often had the foresight to ask questions about which specific controls have been implemented rather than just asking a boilerplate question around whether we possess ISO 27001 certification.

Organization’s such as the Cloud Security Alliance are promoting best practice within the industry, but one of the tenets I repeat again-and-again for those moving to the cloud is caveat emptor (“buyer beware”).  Make sure that your due diligence includes questions about the areas of risk you’ve identified within your own business – look for alignment of controls whether your processing and storing on-premise, or outsourcing to a cloud services company.