Just about all knowledge facilities promise to take care of excessive safety requirements. However how will you affirm that digital infrastructure amenities are as safe as they declare?
A part of the reply is to evaluate an information middle’s compliance with ISO 27001, a core data safety commonplace. By itself, complying with ISO 27001 doesn’t assure {that a} knowledge middle is as safe as it may well presumably be. However usually, ISO 27001 compliance on the a part of knowledge middle operators needs to be a primary expectation.
ISO 27001 is a framework that defines data safety greatest practices. Final revised in 2022, the framework is revealed by the Worldwide Group for Standardization (ISO) and Worldwide Electrotechnical Fee (IEC).
Key necessities of ISO 27001 embrace:
-
Assessing data safety dangers that have an effect on a company.
-
Establishing data safety insurance policies and controls that adequately handle a enterprise’s threat.
-
Deploying an Info Safety Administration System (ISMS), which centrally tracks and manages a company’s data safety controls and processes.
-
Documenting data safety shortcomings and taking steps to mitigate them.
In contrast to some compliance requirements and frameworks that impression knowledge facilities, equivalent to GDPR and HIPAA, ISO 27001 is a voluntary compliance commonplace. This implies there isn’t any authorized mandate for knowledge middle operators, or every other enterprise, to stick to the ISO 27001 pointers. Nonetheless, as a result of ISO 27001 compliance might help to display wholesome cybersecurity practices, changing into compliant is essential for establishing belief with prospects.
ISO 27001, the globally acknowledged commonplace for data safety, is overseen by the Worldwide Group for Standardization (Picture: Alamy)
What ISO 27001 Means for Information Facilities
ISO 27001 is an industry-agnostic commonplace whose steerage is designed to use to companies of every type. It doesn’t say something about knowledge facilities particularly or embrace guidelines which might be distinctive to knowledge facilities. Which means that there may be some room for interpretation in deciding precisely methods to meet ISO 27001 necessities inside an information middle.
That mentioned, most knowledge middle operators will discover that their ISO 27001 compliance wants fall into two foremost areas:
-
Bodily safety: Information facilities should implement the bodily safety controls essential to stop unauthorized entry – together with by malicious insiders in addition to exterior events.
-
Community safety: Information facilities should deploy community safety controls to guard community infrastructure and connections from assault.
These necessities apply to each knowledge middle, since all knowledge facilities are topic to bodily and community safety dangers. Past this, accountability for securing the {hardware} and software program {that a} enterprise deploys inside an information middle typically falls to the enterprise, not the info middle supplier.
Nonetheless, knowledge middle suppliers whose choices lengthen past bodily knowledge middle house and community connections could face extra ISO 27001 compliance wants. For instance, in the event you provide hardware-as-a-service, you’ll seemingly must implement safety controls to guard the {hardware} that you simply deploy on behalf of consumers in order for you them to be ISO 27001-compliant.
A Information to ISO 27001 Compliance Amongst Information Middle Corporations
Right this moment, nearly all main knowledge middle firms – together with Equinix, Digital Realty, and CyrusOne – provide ISO 27001 compliance inside their amenities. Many regional or native knowledge middle suppliers are additionally ISO 27001-compliant.
That mentioned, there are a few essential suggestions to remember when assessing the ISO 27001 compliance standing of knowledge middle firms.
The primary, and largest, is that the majority knowledge middle suppliers display ISO 27001 by acquiring compliance certifications from outdoors auditors. Which means that the choice about whether or not a person knowledge middle, or an information middle firm, is ISO 27001-compliant falls to whichever auditors the info middle operator chooses to work with. Some auditors could also be extra rigorous than others.
Learn extra of the newest knowledge middle safety and threat administration information
If you’d like particulars on how effectively a supplier meets ISO 27001 necessities and which strategies of interpretations auditors used to evaluate compliance, ask for copies of compliance stories. You may additionally ask for particulars about how just lately audits have been carried out.
A second issue to remember about ISO 27001 compliance in knowledge facilities is that compliance could differ from one knowledge middle to the following – so don’t assume that simply because an information middle operator boasts of ISO 27001 compliance on its web site that each one its amenities have equally rigorous safety protections in place.
These issues are essential as a result of, whereas it’s straightforward for knowledge middle operators to publish ISO 27001 compliance or certification statements on their web sites, it’s uncommon for them to reveal particulars to the general public about who performs their compliance audits, how usually they happen, and which particular safety controls have been reviewed. With out this data, it’s arduous to know precisely how effectively ISO 27001 certification truly interprets to safety greatest practices.
