ISO 27001 is the litmus test for information security

December 11, 2012 6:02 AM EST

With increasing reliance on collaboration tools to improve information management in regulated industries -- such as financial services, healthcare and construction -- organizations must demand the highest levels of security from their external service providers in order to avoid data breaches and other incidents. Focusing on the physical data center that hosts the online collaboration service provider’s application isn’t enough.

When you become a service provider’s client, your proprietary information can be found not only in the hosted infrastructure, but also across multiple areas within the provider’s business. CRM applications, development environments, helpdesk applications, and other domains may move your information to users in multiple office locations. All of this sensitive information may be at risk without robust security management processes and procedures -- not only in the data center, but also within the service provider’s business.

©iStockPhoto.com/Baran_Özdemir

While there are many claims around compliance and certifications, the only international standard that you should rely on is ISO 27001, which details requirements for “establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS).” Because ISO 27001 is a formal specification that mandates specific criteria, service providers should engage an accredited organization for an independent audit and be certified as compliant – a critical step in validating their security claims and winning their clients’ trust.

When you entrust your data to an ISO 27001-certified service provider, you can be assured that: 1) the provider has implemented a wide range of security and privacy controls at all levels of its business; 2) all employees have been educated in relevant security and privacy issues; and 3) the provider can present verifiable evidence of its quality management-based security and privacy programs.

Here are some of the specific processes that should be covered under the service provider’s ISO 27001 certification:

  • Information classification and handling
  • Third-party access
  • Incident management and communication
  • Disposal of media
  • Hiring, discipline and termination of staff
  • Acceptable use of computer equipment
  • Development processes
  • Release and change management
  • Data access, availability and integrity

A final consideration is to ensure that the service provider’s ISO 27001-certified security management doesn’t compromise performance. Can the provider still deliver an optimal user experience? Also, does the provider include content delivery network (CDN) services in its base fees, or is an add-on charge required?

The business objectives of turning to an online collaboration service provider are improving workflow and productivity while controlling costs. It’s imperative not to undermine these benefits by introducing a significant security risk that can lead to breaches, data loss and a loss of reputation. ISO 27001 certification should be at the top of your search checklist.