What ISO 27001 means for and our customers

Nov 4, 2024
An illustration representing numerous security certifications, including ISO 27001.

-sidebar-toc>        -language-notice>

We have always been working to ensure the security of our hosting platform, as well as the websites of our clients. It doesn't matter if it's protecting information on accounts and providing the tools needed to avoid external DDoS attacks, or detecting and eliminating malware or educating owners of websites about security holes within WordPress plugins, information security is a major strength of ours.

However, hosting companies could easily make that claims. But proving it can be a difficult task.

The most effective way to demonstrate the validity of these claims is to create guidelines and practices for information security that meet widely recognized standards in addition to having compliance with these standards validated by experts who are independent.

In August 2024 after having completed the full period for SOC 2 monitoring, we were awarded certifications for data security and privacy controls specified from the International Standards Organization (ISO) as well as the International Electrotechnical Commission (IEC).

What is ISO 27001?

Erik Van Dijk, 's Chief of IT He was in charge of IT's Head of Information Technology, led the ISO 27001 certification effort and said the framework is "the highest benchmark" for security-related compliance.

ISO 27001 specifies the controls required to safeguard the confidentiality, integrity, and availability of the information within an organisation. This is what it means:

  • Confidentiality• Ensure that only authorized individuals have access to access data.
  • Transparency -- Make sure only authorized users are able to alter information.
  • Availability Make sure that information is accessible to the authorized personnel when required.

Van Dijk said ISO 27001 defines the requirements for various elements in the Information Security Management System (ISMS). But that system is not solely software and hardware. In addition to such technological control The ISMS includes organizational, people-related, and physical controls:

  • Controls of organization -- Defining rules to be followed and the behaviour expected of the equipment, users as well as software and systems.
  • Controls for people -- Providing knowledge of education, training, or experience to people working in an organization to ensure they are able to do their job safely.
  • Physical controls -- Features including access cards to security cameras, data centers, and intrusion sensors.

What are ISO 27017 and 27018?

Van Dijk said ISO 27017 and 27018 are certifiable extensions to ISO 27001 and are particularly pertinent to cloud computing environments since both pertain to cloud computing platforms.

ISO 27017 prescribes security controls and implementation guidance for cloud computing systems. They are used for tasks such as:

  • The handling of the assets of customers following contract termination.
  • Separation of customer virtual environments.
  • Monitoring of activities by customers in the cloud computing system.

ISO 27018 focuses on protecting personally identifiable information when working in cloud environments. These controls address issues such as:

  • Transparency in reporting on the geographic whereabouts of the data stored by customers.
  • Restrictions on the use of customer information without their consent.
  • Secure ways of sending, receiving, or secure disposal of personal information.

"s ISO certification timeline

The initial SOC 2 designation in 2023 was based on a three-month time period of audit and then was used to define the core Security Trust Service. The project evolved into ongoing monitoring that included annual reports and was expanded to include SOC 2's availability and confidentiality criteria.

In the meantime, our study of ISO 27001 was already underway. Van Dijk said his extensive study of ISO 27001 requirements began around November 2023.

"ISO 27001 is extremely document- and heavy on processes," he said. "It still contains a number of controls for technical purposes, however the main purpose of the framework is to establish an information security management system as well as its policies and procedures."

Van Dijk said a gap analysis revealed that the SOC 2 project had already completed approximately 40% of the work to be done for the ISO certifications. Therefore the time a team of companies came together in the December of 2023, it could quickly start sending status data into Vanta Vanta, the platform selected to aid in the collection of evidence.

The team created 13 new ISMS policies, and also refined existing policies created for SOC 2. By March 2024, the team called on the cloud security provider Rhymetec to conduct an internal audit which helped identify what work would be required.

In the following days, BARR Advisory offered an independent audit that verified 's eligibility for the ISO accreditations.

"We always received praise from our auditors on the way we were organized and ready were," Van Dijk said.

The benefits are the benefits ISO 27001 certification

The ISO 27001 certification (and SOC 2 conformity) highlights our commitment to security of information. We'll strive to continue earning customers' trust as we undergo regular audits to confirm that we are in constant compliance with our ISMS and to maintain our ISO 27001 accreditation status.

Many prospective customers tell us their hosting provider should have ISO 27001 certified. We're pleased to meet this requirement, and we are happy to welcome our customers to .

Our ISO certificates show that we are in the security posture to shield the assets of our customers and reduce risk by implementing most effective practices.

Summary

We have a proven track record of protecting customer data. The new ISO certifications build on the safeguards validated by our efforts to be SOC 2 compliant.

Visit  the Trust Center for details on the firm's continuing compliance efforts.

Steve Bonisteel

Steve Bonisteel is a Technical Editor who started his writing career as print journalist who chased ambulances as well as fire trucks. He has been covering technological developments on the Internet since the 1990s.