If the alphabet soup of information technology industry standards makes your head hurt – SSAE 16, SOC 1, SOC 2, ISO 27001, ISO 9001 – you’re not alone. It’s easy to get confused by all of the combinations of letters and numbers to describe the latest organizational certifications.
Still, if you’re looking to contract with a managed services provider for hosting your litigation data, you need to make sure you’re working with an organization that is compliant with the highest industry standards at their data centers. One crucial certification standard was recently retired and replaced – and it’s important to understand the most up-to-date version.
The Switzerland-based International Organization for Standardization (English acronym is ISO) develops standards for a number of global certifications. The ISO 27001 certification for information security management systems specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented data security management system within an organization. For data centers, ISO 27001:2005 was the gold standard to meet for many years.
“The ISO 27001:2005 standard has now been retired and replaced by ISO 27001:2013, so any organization that seeks to be certified as compliant with this updated standard must be recertified from scratch,” explained Jeff Norris, CISSP senior director of information security for LexisNexis Managed Technology Services, which manages and stores litigation data securely for law firms of all sizes.
“It’s easy for IT executives to feel overwhelmed by all of these certifications, but the importance of selecting vendors that achieve any certification is the demonstration of the commitment of leadership and assurance of the business and business processes itself.”
Mr. Norris noted that the 2013 revision is the first major revision of the ISO 27001 standard since its inception. The ISO/IEC group has leveraged the experience of using the standard and practical experience from over 17,000 registrations worldwide. The updates are required to keep up with changes and introduction of new technologies.
“The key changes in the revised standard are related to improved handling of IT security risks, such as identity theft, mobile device threats and online vulnerabilities,” said Mr. Norris. “There are also a number of improvements and consolidation of the security controls.”
Other changes in the 2013 version updates ISO 27001 to conform to new directives on the management systems requirements, namely by allowing companies to have an integrated management system, rather than distinct separate ones. For example, Mr. Norris notes that LexisNexis has taken advantage of this now to have just one management system for both its ISO 27001 and ISO 9001 certifications. The risk assessment components in the standard were updated similarly to help align with the other standards, which is helpful as it allows organizations to use the same risk assessment methodology between them.
“It’s easy for IT executives to feel overwhelmed by all of these certifications, but the importance of selecting vendors that achieve any certification is the demonstration of the commitment of leadership and assurance of the business and business processes itself,” said Mr. Norris. “This also assists in validating with internal or external clients that their vendors are investing in sound business and security practices, and helps answer security audits and inquiries easier. It doesn’t eliminate the audits and questions, but provides a good base to start from, minimizing efforts to explain the security posture of the vendor.”
ISO is recognized globally and maps rather easily to other standards and certifications, according to Norris. Global industry standards such as ISO 27001:2013 provide important third-party validations that your litigation data is being hosted in secure, highly available, certified data centers.
* * *
If you enjoyed this post, you might also like:
Infographic: Cybersecurity Stats for Legal Tech