In Spring 2022, Divio received ISO 27001 certification and passed the ISO 27017 and 27018. What does that mean for enterprise businesses working with us?
Joel Burch
COO
Here, we'll be exploring ISO compliance, and what this means for both Divio and the businesses we work alongside.
Firstly, it’s important to understand that ISO itself is an international group of standards bodies. When we talk about ISO standards, we mean sets of internationally established standards of procedures and protocols. If you receive an ISO certification it means that you are meeting those standards; you have compliant procedures in place for preventing incidents and protocols ready if issues arise.
ISO 27001 specifically is an information security management certification. Our ISO 27001 certification is a promise that we have the appropriate measures in place and we have the appropriate standards implemented. What does that mean? We protect our clients’ data and we actively manage information security.
Of these three ISO standards, ISO 27001 is the main standard for information security management. ISO 27017 is an addition for cloud computing and it covers additional aspects of information security measures specifically for the cloud computing industry. ISO 27018 is for the protection of personally identifiable information (PII).
Both the most important and most significant certification is the ISO 27001 certification. ISO 27017 and ISO 27018 build on ISO 27001, meaning you cannot pass ISO 27017 and ISO 27018 without also passing ISO 27001. These two are also significantly smaller than ISO 27001, but the three of them form a greater whole, which is why we pursued all three.
But how does this effect and benefit our clients? Let's explore.
Divio’s enterprise clients can rely on our vendors’ information security compliance
When clients already work with cloud infrastructures (for example, from AWS and MS Azure and Google Cloud), they can rely on the security audits and certifications from these cloud vendors. The cloud vendors sit below Divio in the structure and their compliance standards cover the cloud infrastructure itself. Divio, which manages the cloud infrastructure and services and provides PaaS tools and features, builds its security and compliance on top of the cloud vendors. We are actually building upon the certifications of the cloud vendor/s.
A Divio client’s compliance is ensured from the infrastructure layer up through the management of the infrastructure and the PaaS. Therefore, when our clients use our service to manage and deploy applications, compliance is handled up to the boundary of the applications themselves.
Our clients essentially profit from the shared responsibility model of information security management from the cloud vendors, complemented by Divio’s fully certified services. In fact, our clients can enhance this layering of compliance even further, so that the application which is running inside the Divio solution and managed by the Divio solution is also compliant.
If you imagine an engineer’s drafting desk, the cloud vendors are essentially the legs that support the desk. They are uneven and different materials since they are all from different manufacturers, which presents a problem for the user. But in terms of compliance, the cloud vendors handle the compliance of their individual parts of the bottom of the structure. Divio then unites them all with a cloud management layer. You could think of this as the x-shaped bracket that securely joins the legs together into a single structure. We make sure the legs are all even and the load is properly distributed.
Divio’s PaaS is the layer on top, the actual work surface on which running, deploying, migrating and maintaining apps happens. This layer makes interaction with the various cloud vendors easy and straightforward for developers.
In this metaphor, while the cloud vendors handle compliance for their individual supports to the desk, Divio handles compliance from the legs up through the work surface itself.
ISO compliance accelerates vendor onboarding and cuts opportunity cost.
Information security compliance is important to everyone, but it is also surprisingly useful during the vendor onboarding process. A lot of companies have the requirement internally to say that they only work with vendors that have an ISO 27001 standard for information security management.
So why do they say that?
Because, with an ISO standard like 27001, there is an external audit which already confirms that Divio is compliant with an agreed set of standards. This obviates the need for an extensive due diligence process when working with a vendor who is ISO compliant like Divio. If, for example, we didn’t have ISO 27001 or other standards or reports, we would need to go through an extensive risk assessment.
Usually, this risk assessment takes the form of an Excel sheet with over 250 questions during the vendor onboarding process which the client provides. The questions might be something like: “How do you handle information security? How do you protect and manage any kind of data? What are your processes when you have an information security incident? What measures do you have in place to prevent these kinds of security incidents in the first place?” It takes much more time from the vendor perspective, naturally, because of the quantity of questions.
From the client's perspective, an employee needs to read those 250+ answers and follow up with any further questions or requests for clarifications and for proof. The onboarding process can become a long back and forth which can take up months. In that process, not only is the client company paying for the employee’s time who is doing that due diligence, they are also paying an opportunity cost while they wait to onboard a time and cost-saving tool.
Companies prefer a smooth and fast onboarding instead of wasting time on reviewing and discussing risk assessments during the vendor onboarding phase. ISO standards help us provide that better experience and service. The standard allows us to show clients that we comply with ISO 27001 information security standards. During the vendor onboarding process, a potential client can just tick a checkbox after receiving Divio’s ISO 27001 certificate. It’s simple and straightforward.
That's why a lot of companies are hesitant to work with companies that don't have that standard. They know that the due diligence process will be much more extensive and much more enhanced—for both parties.
ISO Standards Impact Divio’s Own Vendor Relationships
The ISO 27001 compliance standard is not only client focused, it is also vendor focused. The standard describes how to categorise vendors and to ensure periodic reviews among other things. For example, the ISO standard specifies if you have to re-evaluate existing vendors and their procedures every year on a recurring basis.
The ISO 27001 standard affects what we expect from our own vendors. Contractual agreements between Divio and our vendors set out detailed information security standards and responsibilities. Furthermore, those agreements also outline which processes are in place to ensure information security and what actions need to be implemented in case of an information security incident on the vendor’s side.
The ISO 27001 standard affects the whole ecosystem of Divio vendors, stakeholders, shareholders and even employees. Employees are a crucial part of an information security framework. They need to be trained on and need to have understood the policies, processes and measures. For Divio, ISO 27001 compliance is a whole company-wide information security solution that affects all internal and external relationships.
If you work with Divio, this is what you need to know about your responsibilities in terms of compliance as a client: essentially, as a client, you are wholly responsible for the compliance of your applications.
Clients can either (1) only work with external SaaS vendors which are also ISO 27001 compliant or (2) they develop and deploy applications themselves that are also ISO 27001 compliant. Divio does not have an impact on the compliance of the applications running on the Divio platform themselves.
We manage the data from those applications which is stored in the cloud vendors’ databases and the media storage, and we manage the data on the cloud infrastructures on behalf of the client. What the applications themselves do is not covered by cloud management or our PaaS, which is for managing apps’ migration and deployment, etc.
Essentially, we make sure that we handle data in a compliant way. At the same time, because client applications are a blackbox to us, we cannot make sure that the data in or data handling by a client's applications is compliant. Rather, together with the cloud vendors, we manage the information security responsibility for anything that passes through the cloud infrastructure apart from the applications themselves.
For those readers considering working with a non-compliant cloud vendor: if cloud compliance is not in place, there are many potential issues, but I will cover just a few.
If things go wrong, you could be looking at a very damaging situation including reputational damage and lawsuits. Employees can also be affected because they don't want to work for a company that does not protect data and that does not, specifically, protect their personal data as employees either.
Without proactive protocols, you could see situations where people will have access to your company’s financial information, which can give them a financial advantage in the marketplace and in trading. Not only can they profit from this knowledge, but it is also especially dangerous for listed companies if that kind of information gets out. Compliance protocols work to protect sensitive information.
Potential threats will also emerge if vendors are not handling their data on your behalf appropriately. That can certainly affect you as a client because as a client you have data that you manage or you work with which will be exposed through the negligence of a vendor. These are just a few examples of serious potential dangers you could face if cloud compliance is not in place.
The ISO 27001 standard shows how we work and the standard also outlines our protocols for information security management specifically. It goes beyond a general description of how we operate to show what we do for clients in the unlikely event we did have some kind of significant incident.
This includes: what we would do, how we would inform the clients and how we work proactively with our own vendors on those responsibilities. Our ISO 27001 certification shows the methods we use to protect our client by ensuring our own responsibility and the responsibility of our vendors.
Cloud compliance matters for businesses because companies need an assurance that their cloud management vendor follows certain standards and information security practices. When clients work with us, they know how we are handling their data, they know the way we are processing their data and that we have the highest standards and protocols in place. This knowledge is an assurance that they can rely on us to manage their information security conscientiously.
The ISO 27001 compliance certification shows that we behave responsibly with data. We give assurances and we lay out how we react in certain situations to prevent threats and also to prevent damage from any actual incidents that might occur.
This means that for our clients, if they're banks or insurance companies, for example, they can then turn to their clients and confirm that all of the vendors in their infrastructure, and all of the vendors in our infrastructure as part of their infrastructure, are ISO 27001 compliant. The data is proactively protected. Our clients can give their clients assurances about their own responsibilities.
Working with a compliant cloud management vendor like Divio helps companies do business safely. It removes obstacles to deals and helps bring in new customers.
In combination with the savings we provide in terms of time and money, the incredibly high level of award-winning support we offer and the efficiency increase our clients experience with our tools, we’re very excited about how our ISO 27001 certification is going to continue our clients’ great experience working with us.
Our clients now have a certificate that proves how committed we are to information security management. We value and focus on security and compliance for our clients’ benefit and that is why we are so pleased to share the news about our ISO 27001 certification.
To learn more about how you can streamline your company's cloud setup while enjoying the peace of mind of working with an ISO compliant cloud management vendor, take a look at our cloud professional services or arrange a chat with the team here at Divio.
Cloud Compliance / Cloud Cost Control / Cloud Management / Cloud Security
Divio Method and Compliance Part 2: GRC Tool
In this interview with Divio’s Jonathan Stoppani, read about how we set out to build our own Governance, Risk, and Compliance tool. The project exemplifies Divio’s approach to problem solving.