Information security is a pressing concern for all businesses and a wide range of certifications exist to help companies establish and communicate high levels of security. If secure cloud hosting is of particular importance to you, there are some certifications that directly affect the claims a provider can make.
Here's a run-down of the certifications that most affect the security of data in the cloud.
ISO 27001 - Information technology -- Security techniques -- Information security management systems -- Requirements
ISO 27001 is the key information security standard and requires a company to have a systematic and documented approach to securing data in the form of an information security management system (ISMS). No two organisations are identical, and so every ISMS is unique - created by thoroughly reviewing information security risks and developing procedures to control them.
ISO 27001 is designed to be applicable to any business in any industry and so isn’t specially adapted to cloud hosting. It’s the cornerstone of security certifications, however, and without it, a provide can't claim to offer secure hosting.
ISO/IEC 27018 - Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Part of the ISO 27000 family of standards, ISO 27018 tackles the specific challenges of protecting information that be used to identify people, your or your customers for example, in cloud environments.
With the threat of security breaches, data loss and identity fraud looming large, ISO 27018 strengthens standard ISO 27001 to further secure sensitive personal data. Furthermore it specifies parameters for the return, transfer and secure disposal of personal data.
Cyber Essentials is UK Government backed scheme that outlines a baseline of cyber-security for organisations. The recommendations are suitable for all businesses to implement and consist of five key security controls that together can stop around 80% of cyber-attacks.
Implementing the Cyber Essentials recommendations ensures that a business possesses the basic security measures that can prevent the majority of information security breaches.
ISO 22301 - Societal security -- Business continuity management systems --- Requirements
How you choose to ensure the continuity of your business in a disaster or outage is one thing, but your provider absolutely must be able to continue operating if one strikes if you are to ever hope to.
ISO 22301 is the standard that demonstrates that a provider has a comprehensive business continuity strategy in place. Achieving certification means more than having redundant data and systems, although these are essential, and requires consideration be given to the impact on offices, staff, basic connectivity and more.
PCI DSS - PCI Data Security Standard
If your business accepts credit card payments then you and your suppliers have to be PCI DSS compliant.
The PCI council was founded by major members of the credit card industry to help standardise the safeguarding of customers data and finances. The PCI standard covers security measures such as protecting the storage of card holder data and encrypting transmission of that data across public networks.
N3 - NHS National Network
In order to connect to the NHS National Network (N3) your provider must meet the requirements for connection. At the core of these requirements is an Information Governance Statement of Compliance (IG SoC).
Receiving an IG SoC confirms that the requirements for protecting the integrity of the N3 network, and the sensitive, personally identifiable data there in, have been met by the company requesting to connect.
Public Services Network (PSN) Compliance
The PSN is the high performance networking connection public sector organisations. Providing services to the public sector requires PSN compliance.
In a similar fashion to N3 compliance, PSN compliance exists to protect the sensitive data that needs to be held and shared by public sector organisations. There are three different types of certificate depending on the type of service you want to provide: connection, service provision and connectivity.
Where do we stand?
ServerSpace is a part of the iomart group, the UK's most accredited cloud company. We're proud to have attained all the certifications listed above along with many others including ISO 9001, ISO 14001 and OHSAS 18001, meaning we can offer highly secure cloud hosting.
While every additional certification comes at some cost, we have a total commitment to quality and economies of scale that mean we are able to minimise these and not let them inflate our costs to you.