When it comes to choosing a backup provider, businesses want some assurances that the provider can securely protect their data to ISO standards. Many providers will claim to have the protocols in place that ensure this, but often it is difficult for customers to know if what they are being told is true.
If a company says they are a secure backup provider, do you, as the customer, have any way to check this claim without getting bogged down in all the gritty details?
Yes – is the simple answer. In 2005, the ISO (International Organization for Standardization) published the ISO 27001 accreditation which was produced with the aim of giving customers a level of confidence when it came to choosing a company that would be handling their sensitive data. The ISO 27001 looks at the information security management system (ISMS) of the provider, which encompasses all areas of risk involved in the handling of data. This means that areas of the business, other than IT, are taken into account, i.e. is the setup of the provider’s data centre sufficient to securely transfer data?
Attaining the ISO 27001 is a three step process. The auditing company (for example UKAS) will perform an initial review of the ISMS already in place at the company and help with any issues in the design. The second stage involves testing the system to ensure it has been appropriately designed and can be properly implemented. The third stage is an ongoing review process for as long as the company has been certified to ensure that their ISMS is still compliant with the ISO 27001 standard. These reviews are conducted more often if the provider has recently attained the accreditation to ensure that they have been able to maintain any changes recently made to their ISMS.
This helps make choosing a backup provider more straightforward, as customers can trust that the provider meets a recognised standard rather than having to spend hours researching the subject. They can also be sure that in the case of a long-term contract the provider will continue to be tested and will therefore maintain the required standard throughout the duration.
It should be understood that holding the ISO 27001 is not a required standard in the backup or data storage industry. Any company who holds an ISO 27001 has therefore taken the time and effort to prove to its customer base (and all future customers) that it is capable and trustworthy when it comes to handling their data. For many companies, for instance legal practices and solicitors firms, who have to hold on to personal information for several years after they first come into contact with it, the assurance that their backup or storage provider can maintain a high level of security for the foreseeable future is an important factor in choosing the provider in the first place.
The ISO 27001 holds benefits for both the provider and the customer as it provides a bench mark that customers can look for in their provider, and the provider can aim to achieve the standard in order to gain a competitive edge over the market. Ultimately both parties can be happy that the ISMS is well tested and will keep sensitive data private.