We’re delighted to announce that our data center has successfully completed its ISO/IEC 27001:2005 security certification.
ISO 27001 is an ISMS (Information Security Management System) standard by ISO and IEC from 2005 for managing information security.
ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS). It specifies requirements for the management of the implementation of security controls.
It’s an international security standard not limited to just North America.
How does it compare to SAS 70?
SAS 70 is a statement on auditing standards by AICPA (American Institute of Certified Public Accountants) from 1993, where an independent auditor is to evaluate service providers controls and generate a report based on the evaluation.
Judith Sherinsky, a technical manager on the audit and test standards team at the AICPA writes about SAS 70:
“It isn’t a measure of security, it’s a measure of financial controls.”
A SAS 70 audit does not rate a company’s security controls against a particular set of defined best practices, and because SAS 70 was meant to look at financial controls, a SAS 70 audit report may contain many items that are not at all related to information security.
The fact that a company has conducted a SAS 70 audit does not necessarily mean any of its systems are secure.
Key difference: ISO/IEC 27001:2005 guarantees that a provider has been audited on established security guidelines and requirements unlike the SAS 70 that leaves it up to the provider to choose suitable things to audit on.