Amazon AWS receives ISO 27001 Certfication

| by James Vastbinder Follow 0 Followers on Nov 24, 2010. Estimated reading time: 1 minute |

 Last week, Amazon was awarded the ISO/IEC 27001 certification for Amazon Web Services, AWS.  The certification is significant in that ISO 27001 mandates specific management controls and requirements to be in place.  While the certification is not cloud specific it is a significant progression and commitment towards governance, risk and compliance in the industry.  This signals a maturation of the Amazon public cloud beyond its competitors and clears hurdles many CIOs would feel are barriers of adoption for enterprise acceptance of public cloud computing in general.

ISO/IEC 27001 certification is a three stage audit process:

Stage 1 - a review of the information security management system, ISMS, which is a set of policies governing information security and IT risk management.

Stage 2 - a detailed and formal compliance audit performed by independent auditors against ISO/IEC 27001.  Passing this stage grants compliance with ISO/IEC 27001.

Stage 3 - maintenance stage consisting of follow-up reviews or audits which occur periodically to confirm compliance with ISO/IEC 27001.  Typically the frequency is annually, but may occur more often if the ISMS is in flux. 

On why the team did not pursue ISO/IEC 27002 certification at the same time, from the AWS site: 

We don’t disclose every control we have in place, but of course we did consider all relevant guidance documented in 27002 as applicable to our scope covering AWS infrastructure, data centers, and services including EC2, S3, and VPC. As part of the certification process our auditors validated that we addressed all aspects of the 27002 guidance appropriate for our systems and services.

Amazon is not the first cloud vendor to achieve this certification, as has been ISO 27001 certified for some time and Microsoft is actively pursuing ISO 27000 family of certifications for its Business Productivity Online Suite.  It is unclear of what value this certification brings to the table, but at a minimum it provides a security standard by which to judge competing platforms as IT compares the ISMS of a vendor.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you