Amazon AWS receives ISO 27001 Certfication
Last week, Amazon was awarded the ISO/IEC 27001 certification for Amazon Web Services, AWS. The certification is significant in that ISO 27001 mandates specific management controls and requirements to be in place. While the certification is not cloud specific it is a significant progression and commitment towards governance, risk and compliance in the industry. This signals a maturation of the Amazon public cloud beyond its competitors and clears hurdles many CIOs would feel are barriers of adoption for enterprise acceptance of public cloud computing in general.
ISO/IEC 27001 certification is a three stage audit process:
Stage 1 - a review of the information security management system, ISMS, which is a set of policies governing information security and IT risk management.
Stage 2 - a detailed and formal compliance audit performed by independent auditors against ISO/IEC 27001. Passing this stage grants compliance with ISO/IEC 27001.
Stage 3 - maintenance stage consisting of follow-up reviews or audits which occur periodically to confirm compliance with ISO/IEC 27001. Typically the frequency is annually, but may occur more often if the ISMS is in flux.
On why the team did not pursue ISO/IEC 27002 certification at the same time, from the AWS site:
We don’t disclose every control we have in place, but of course we did consider all relevant guidance documented in 27002 as applicable to our scope covering AWS infrastructure, data centers, and services including EC2, S3, and VPC. As part of the certification process our auditors validated that we addressed all aspects of the 27002 guidance appropriate for our systems and services.
Amazon is not the first cloud vendor to achieve this certification, as Salesforce.com has been ISO 27001 certified for some time and Microsoft is actively pursuing ISO 27000 family of certifications for its Business Productivity Online Suite. It is unclear of what value this certification brings to the table, but at a minimum it provides a security standard by which to judge competing platforms as IT compares the ISMS of a vendor.