Subscribe to the Data Center Knowledge Newsletter
Get analysis and expert insight on the latest in data center business and technology delivered to your inbox daily.
ISO 27001 Compliance: What Data Center Operators and Customers Need to Know
ISO 27001 compliance helps ensure data centers meet essential security standards, but how can operators and customers verify its effectiveness?
4 Min Read
Ensuring ISO 27001 compliance is a cornerstone of security for modern data centersImage: Data Center Knowledge
Virtually all data centers promise to maintain high security standards. But how can you confirm that digital infrastructure facilities are as secure as they claim?
Part of the answer is to assess a data center’s compliance with ISO 27001, a core information security standard. On its own, complying with ISO 27001 doesn’t guarantee that a data center is as secure as it can possibly be. But in most cases, ISO 27001 compliance on the part of data center operators should be a basic expectation.
What is ISO 27001?
ISO 27001 is a framework that defines information security best practices. Last revised in 2022, the framework is published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Key requirements of ISO 27001 include:
Assessing information security risks that affect an organization.
Establishing information security policies and controls that adequately manage a business’s risk.
Deploying an Information Security Management System (ISMS), which centrally tracks and manages an organization’s information security controls and processes.
Documenting information security shortcomings and taking steps to mitigate them.
Unlike some compliance standards and frameworks that impact data centers, such as GDPR and HIPAA, ISO 27001 is a voluntary compliance standard. This means there is no legal mandate for data center operators, or any other business, to adhere to the ISO 27001 guidelines. However, because ISO 27001 compliance can help to demonstrate healthy cybersecurity practices, becoming compliant is important for establishing trust with customers.
ISO 27001, the globally recognized standard for information security, is overseen by the International Organization for Standardization (Image: Alamy)
What ISO 27001 Means for Data Centers
ISO 27001 is an industry-agnostic standard whose guidance is designed to apply to businesses of all types. It doesn’t say anything about data centers specifically or include rules that are unique to data centers. This means that there is some room for interpretation in deciding exactly how to meet ISO 27001 requirements within a data center.
That said, most data center operators will find that their ISO 27001 compliance needs fall into two main areas:
Physical security: Data centers must implement the physical security controls necessary to prevent unauthorized access – including by malicious insiders as well as external parties.
Network security: Data centers must deploy network security controls to protect network infrastructure and connections from attack.
These requirements apply to every data center, since all data centers are subject to physical and network security risks. Beyond this, responsibility for securing the hardware and software that a business deploys inside a data center generally falls to the business, not the data center provider.
However, data center providers whose offerings extend beyond physical data center space and network connections may face additional ISO 27001 compliance needs. For example, if you offer hardware-as-a-service, you’ll likely need to implement security controls to protect the hardware that you deploy on behalf of customers if you want them to be ISO 27001-compliant.
A Guide to ISO 27001 Compliance Among Data Center Companies
Today, virtually all major data center companies – including Equinix, Digital Realty, and CyrusOne – offer ISO 27001 compliance within their facilities. Many regional or local data center providers are also ISO 27001-compliant.
That said, there are a couple of important tips to keep in mind when assessing the ISO 27001 compliance status of data center companies.
The first, and largest, is that most data center providers demonstrate ISO 27001 by obtaining compliance certifications from outside auditors. This means that the decision about whether an individual data center, or a data center company, is ISO 27001-compliant falls to whichever auditors the data center operator chooses to work with. Some auditors may be more rigorous than others.
Read more of the latest data center security and risk management news
If you want details on how well a provider meets ISO 27001 requirements and which methods of interpretations auditors used to assess compliance, ask for copies of compliance reports. You might also ask for details about how recently audits were conducted.
A second factor to keep in mind about ISO 27001 compliance in data centers is that compliance may vary from one data center to the next – so don’t assume that just because a data center operator boasts of ISO 27001 compliance on its website that all its facilities have equally rigorous security protections in place.
These considerations are important because, while it’s easy for data center operators to post ISO 27001 compliance or certification statements on their websites, it’s rare for them to disclose details to the public about who performs their compliance audits, how often they occur, and which specific security controls were reviewed. Without this information, it’s hard to know exactly how well ISO 27001 certification actually translates to security best practices.
About the Author
You May Also Like
