You can’t help but notice that the trend towards the cloud has now become a stampede, and choosing a cloud-based solution is rapidly becoming the default position of many organizations. This is even more true at the smaller end of the company size spectrum, where a new start-up can now gain access to the kind of computing power and functionality that previously was a major differentiator for the big boys.
But placing your data in the cloud carries obvious risks and prompts questions such as “where is my data?”, “how safe is it?” and “can I trust the cloud provider to look after it?”. These concerns are understandable and up to now have acted as a brake on the widespread adoption of cloud solutions. Customers want reassurance and they are becoming increasingly aware of what to look for when seeking that reassurance. The days when a few well-chosen words on the cloud provider’s website would satisfy these concerns are coming to an end; customers want proof of the provider’s commitment to security, and the best (and, in many cases, the only) proof they will accept is an ISO/IEC 27001 certificate.
In a recent conversation with a hosting provider in the UK who is trying to expand by hiring more sales staff, they explained that many of the interviewees became less interested in the job once they realized that the company wasn’t certified. The general feeling was that the lack of certification would hamper the sales process so much that the job would be an uphill struggle and presumably therefore not be as lucrative as it otherwise would. Based on their recruitment experience this company is now on the verge of achieving certification to ISO27001 and sees it as essential to competing in their marketplace.
And it’s not just customers that are showing an interest in the ISO27001 standard; we are increasingly hearing of various regulatory bodies who are now mandating certification to all, or at least major parts, of it too. Certainly the gambling commissions of many countries now require a long list of ISO27001 controls to be in place and the trend could well be towards full certification before too long. Similarly, the national bodies that oversee internet domain registrations are also going heavily down this route. We would expect more of this to happen as these regulatory bodies try to ensure they fulfil their brief to oversee their industry to the best of their ability.
Given these pressures to adopt the standard and certify to it, many cloud providers are now coming to the conclusion that it is an essential part of their business strategy. They are also realizing that it saves a lot of time in responding to the security sections of invitations to tender if they can simply state that they are ISO27001 certified. Add to that the fact that they are very visible and obvious targets for criminal gangs, hacktivists and even state-sponsored groups and the argument for putting in place a recognized way of managing their information security risks becomes even stronger.
The international appeal of a cloud-based solution means that most vendors have customers spread throughout the world and the fact that ISO27001 is an international standard, created by representatives from almost all countries and recognized as best practice worldwide, means that it is the clear choice.
ISO27001 adoption is increasing and, according to the ISO survey 2014 (the latest available at the moment) there are now nearly 24,000 certified organizations worldwide, with Japan and the UK leading the way. If we compare this with the number of organizations certified to the more general ISO9001 quality standard, which now stands at over one million, there is probably plenty of appetite remaining for greater adoption of ISO27001, particularly given the fact that the ISO has recently harmonized these standards together to make them easier to adopt as a pair.
So if you’re in the cloud business, ISO27001 is worth starting to read up about and consider adding it to your management and business agenda very soon, because it’s likely that the competition certainly is already.