DK: More than a year and a half has passed since you were certified by ISO 27001 – what are your impressions? Was it really worth it?
GD: It was definitely worth it, since it turned out that an ISO 27001 certification is not necessarily a competitive advantage, but rather a must-have. The background of the whole story is that we are trying to address the regulatory demanding markets. So we are talking about the pharmaceutical industry, telecommunications, financial industry, perhaps in the future also food production and similar, and they are all together extremely regulated, and in a conversation with them you find out that ISO 27001 is something they expect, or else they are not willing to talk to you. So one would not say it is worth it in the sense that it has brought customers to us; rather, it actually provided entry into a market we otherwise would not have had access to.
DK: Why are so many potential customers emphasizing ISO 27001; why is this standard accepted as something that is necessary?
GD: For them, ISO 27001 is often not enough. It is necessary, but not sufficient. They establish with ISO 27001 some initial level though, something like: “Now we can start to talk.” If a company has an ISO 27001 certificate, they assume that some basic criteria are met, and after that, they’re actually looking for their specific annex. In addition, the ISO 27001 process shortens their audit – which will now only takes two days, rather than six.
DK: Therefore, ISO 27001 actually is considered to be a baseline.
GD: That’s right, a baseline.
DK: Is there some other standard appearing, which would be a baseline for these potential buyers?
GD: No, I would say that ISO 27001 is the main requirement. In particular, financial institutions usually look at PSI DSS, but since we are an infrastructure data center, we do not go into their data and transactions when delivering infrastructure, and if PCI DSS would be looked at, everything unrelated to infrastructure is out of scope for us. So they expect that with the ISO 27001 certificate, we have covered those chapters in the PCI DSS that are relevant for the infrastructure. They did not ask for ISO 9001 because they generally assume that if we have ISO 27001 certification, ISO 9001, which is important to them, is already included.
DK: If I have well understood your business, then you rent mainly infrastructure, so you don’t handle data itself?
GD: In most cases it is so, yes.
DK: How beneficial is the ISO 27001 certificate for you as a provider of infrastructure services, if considered that this standard has a focus on information?
GD: I would say that ISO 27001 isn’t based only on information, but also on everything that helps to ensure the safety and transfer of this information, and everything needed to make this information available, authentic, etc. In fact, the information as such is nothing; it cannot exist outside an infrastructure.
DK: In recent times, the trend has been more and more toward the cloud; how useful is ISO 27001 regarding this, or is it more of an obstacle? It could be an obstacle in fact, since the companies using cloud services actually lose control over their data.
GD: Actually not. If we think about the cloud in the way it is utilized by some of the big providers – be it Amazon AWS or Rackspace or similar – they highly industrialized their cloud, and they have a standard set of products, which address more or less the same pattern; this whole story is designed in a way to have data centers around the world, and they migrate virtual servers between them, so in fact, from this perspective it really looks like the users don’t have control over their data. You can’t know where they are, since today they are maybe in Johannesburg and tomorrow perhaps in Munich, and you don’t have influence over the structure of the network, etc. That is a cloud.
But the cloud is also something else. Cloud is also what we do, but comparing to other suppliers we would make a distinction, like between tailor-made clothes, and industrially manufactured suits. So we cut and sew tailor-made networks: the user, who comes to us, agrees with us together on the structure of the network, where the virtual server are placed, and on the way, how the security will be dealt with. Of course, it all has to be within certain standards in relation to those big global players, since these are their servers and cities, etc., where the user’s virtual machines are physically placed. We can define a framework, within which boundaries his cloud will be acting.
DK: Thus, in contrast to these large industrialized players there are also smaller players, who actually adjust the cloud to their specific security needs.
GD: Yes. Actually, in my opinion, in this kind of setup we have managed to reconcile safety and economy. The cloud significantly saves resources and thus makes it possible to reach the same level or a higher level of redundancy, and in case of failures and technical problems, the virtual server will continue to work on a completely different infrastructure and you don’t need to buy 3 or 4 servers for this purpose. This means we align the approach with the fact that the environment, where everything is set up, will be controlled, so that you are aware of the fact that you might share a physical server with another user. But, on the other hand, you know you have a completely separate network segment – that between you and anyone else there is a firewall, that it is in a cluster, where access is controlled, so that there is no possibility for someone to remove a drive from the server and put it back in place without control, etc. It actually gives the users a feeling that they have the same security like before, but with the benefits of using a cloud.
Download this free white paper to read the complete interview: ISO 27001 Case study for data centers.
Goran Djoreski is the CEO of the independent Data Center Altus Information Technology. Previously, he worked for 12 years in the financial industry, employed with Card business development, as well as the security of credit card payments.