Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Why ISO27001 is a No Brainer for Cloud Service Providers

 

 

The cloud is here. I don’t think anyone doubts this now; what started as an unusual business and technology model a few short years ago with innovators like Salesforce.com has now become almost a de facto way of implementing new services for organizations large and small.

Cloud Service Providers (CSPs) from a significant part of the CertiKit customer base so we thought we’d take a look at why so many companies in this growing industry are getting themselves certified.

Internet security concept. Flat design. Icon in turquoise circle on white background

Huge Data Stores

Idea behind the cloud is great, because it leverages big economies of scale to make processing facilities available at a fraction of the cost that it would take for a single company to do it themselves. It allows even the smallest company to do what previously was the preserve of those with big IT budgets.

But the downside is that we now have a huge store of data from many companies all in one place. This presents a much more attractive target for hackers to go at because, not only does it have to be internet-accessible, but there is only one set of security controls to breach in order to get access to all that lovely data. So many CSPs feel as though they have a big round target painted on their backs, and “threat actors” from all over the world are queuing up to try their luck.

It's a Reputation Business

Ask any CSP what their most valuable asset is, the one they fear to lose the most, and they may well tell you that it’s their reputation. The cloud is a competitive market and customer loyalty is in many cases a thing of the past. So if a CSP suffers a security incident in which information is lost then that can affect their reputation and so lose them many customers. The press love a good hacking story, whichever country you’re in, so the chances of keeping it quiet are pretty slim.

Stricter Regulation

Furthermore, even if you weren’t required to make an incident public before, chances are you will in the future. Many states of the USA have mandatory breach notification laws and with the coming of the European Union’s General Data Protection Regulation (GDPR) in 2018, companies will be more obligated than ever to tell the world when something bad happens. Add to this the increase in the fines applicable if an organization is judged not to have protected personal data effectively (up to 4% of worldwide turnover) and the stakes have definitely risen.

More Discerning Customers

All of this hasn’t escaped the notice of most corporate customers of CSPs; they don’t want to be publicly shamed and fined any more than the CSPs they use do. So they now look very carefully at the CSPs they consider making use of to get a fair degree of reassurance that their data will be protected. And how do they judge that?

Enter ISO27001

By asking whether the CSP has ISO27001 certification. This tells them that the CSP has an Information Security Management System (ISMS) in place and is actively managing its information security risks and controls. This is testified to by a reputable third party, a Registered Certification Body (RCB) who has audited the CSP and issued a certificate to say they meet the ISO27001 standard.

Benefits for CSPs

So what does all this mean for the CSPs themselves? Well, it means that:

  • They are less likely to have their reputation affected by an information security breach and so lose existing customers
  • They are less likely to be publicly censured and fined
  • They attract more customers because they are seen to value information security
  • They spend less time filling in customer questionnaires because customers accept their ISO27001 certification as proof of their commitment to information security

All of which adds up to a solid business case to become certified to the ISO27001 standard.

And if you use the CertiKit ISO27001 Toolkit, you will get there even quicker.


More ISO27001 resources

CertiKit is a provider of ISO toolkits, consultancy and internal auditing services, and has helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

The kit did 90% of the work for me.

Medix
Israel

View all Testimonials