Pironet NDH Datacenter, one of the leading ICT outsourcing providers among small and medium-sized German enterprises, has received ISO/IEC 27001 certification for the ICT outsourcing services it offers. The certification for professional information security here covers all aspects involved in providing and operating ICT outsourcing product lines, including the company's Software as a Service and cloud computing solutions.
DIN ISO/IEC 27001 is an international certification standard for dealing with information security which is mainly used by large multicorporate enterprises. With this standard the management of information security extends far beyond system security that focuses primarily on the technical side. In addition it comprises a very extensive package of measures which, among other things, also specifies strict compliance with defined organisational procedures and the obligation to provide documentation in conjunction with information security.
Some of the measures are legal requirements (e.g. BDSG (German Data Protection Act)), while others consist of obligations towards the customers and regulatory. Stricter statutory conditions and compliance demands are increasingly forcing small and medium-sized companies to tailor their IT operations to extremely stringent requirements.
The official certification was preceded by the introduction of an Information Security Management System (ISMS) and a subsequent audit by a certified ISO/IEC 27001 auditor, Persicon Cert AG. This covered all the technical and process-orientated aspects connected with the security and risk management of Pironet NDH Datacenter. Because of the large scope of all the measures that needed to be realised, the design and implementation were handled in a company-wide qualification project which lasted several years.
Greater IT security in small and medium-sized enterprises
"Outsourcing IT operations enables companies to significantly enhance their data security. Because in small and medium-sized enterprises in particular many customers feel helplessly out of their depth with the topics of data protection, compliance and the legally required IT security, and in their invitations to tender expressly ask about proof that the provider has a high level of expertise," explains Felix Höger, executive board member of Pironet NDH AG and Managing Director of Pironet NDH Datacenter. "With the new certification we are docu-menting the operative excellence in our processes and that we handle our customers' data responsibly and are thus able to stand out clearly from less-qualified IT service providers."
Felix Höger advises companies which are potentially interested in outsourcing to pay particular attention to the topic of information security. Some IT service providers try to attract business with certificates and qualifications which sound similar or baulk at the great effort involved in introducing an extensive ISMS and consequently have only a limited part of their service offering officially certified, and this is, as a rule, simply not relevant for most of their customers. Outsourcing customers should therefore always examine certificates critically and up front.
Management system for the entire company
"Software as a Service at Pironet NDH is, however, by definition characterised by holistic service performance and comprehensive security solutions, and the scope of our certification is therefore also extensive and covers the entire company," adds Dr. Clemens Plieth, Managing Director Service Delivery at Pironet NDH Datacenter. "For this reason our ISMS includes both physical and logical security in our data centres and the precautionary organisational measures for handling customer data, through to logging and archiving all operations which are relevant to security with a full audit trail."
For customers the ISO-27001 certification means compliance with clearly defined technical and security-related standards and thus the defined Service Levels of Pironet NDH Datacenter. New findings are integrated into the management system on an ongoing basis in order to continuously tailor the security to changed conditions.
Further information: DIN ISO/IEC 27001
DIN ISO/IEC 27001 is an international standard for IT security management. The standard contains information on some 130 measures, explains what they do and provides instructions on how they must be implemented. It enables organisations to measure their information security and to audit their ISMS internally themselves or to have their security status checked by an independent third party who awards the ISO 27001 certification. The ISMS consists of the elements security policy, security organisation, classification and monitoring of the systems and inventories, personnel security, physical and environment-related security, management of communications and operating procedures, access monitoring, system development and maintenance (change management), incident management, business continuity planning and compliance with the obligations.
Further information: Important aspects of DIN ISO/IEC 27001
- Information security guideline
The management must actively support information security within the organisation. It must approve an information security guideline, publish it and inform all employees and the relevant external parties of it.
- Checking the information security
The handling and implementation of information security must be checked at regular intervals by an independent party by means of audits.
- Security when dealing with customers
All identified security requirements must be complied with before a customer is granted access to the organisation's information.
- Raising awareness and training for information security
Appropriate measures must be taken to raise the awareness of all employees with respect to information security, and staff must be informed regularly of internal regulations.
- Access control
Security areas must be protected by appropriate access controls.
- Documented processes
The information processing facility must document operating processes.
- Distribution of responsibilities
The information processing facility must distribute duties and areas of responsibility.
- Distribution of development, test and productive facilities
Development, test and productive facilities must be separated in order to prevent the risk of unauthorised access or changes to the productive system.
- Monitoring and checking the services of third parties
Services, reports and records supplied by third parties must be regularly monitored and checked; audits should be performed regularly.
- Audit logs
Audit logs must be created in which user activities, errors and information security incidents are recorded.
- Reporting of IT security leaks
Information security incidents must be reported as quickly as possible over the appropriate management channels.
- Securing business operations
A controlled process for securing business operations must be developed and maintained throughout the company.
DIN ISO/IEC 27001 is an international certification standard for dealing with information security which is mainly used by large multicorporate enterprises. With this standard the management of information security extends far beyond system security that focuses primarily on the technical side. In addition it comprises a very extensive package of measures which, among other things, also specifies strict compliance with defined organisational procedures and the obligation to provide documentation in conjunction with information security.
Some of the measures are legal requirements (e.g. BDSG (German Data Protection Act)), while others consist of obligations towards the customers and regulatory. Stricter statutory conditions and compliance demands are increasingly forcing small and medium-sized companies to tailor their IT operations to extremely stringent requirements.
The official certification was preceded by the introduction of an Information Security Management System (ISMS) and a subsequent audit by a certified ISO/IEC 27001 auditor, Persicon Cert AG. This covered all the technical and process-orientated aspects connected with the security and risk management of Pironet NDH Datacenter. Because of the large scope of all the measures that needed to be realised, the design and implementation were handled in a company-wide qualification project which lasted several years.
Greater IT security in small and medium-sized enterprises
"Outsourcing IT operations enables companies to significantly enhance their data security. Because in small and medium-sized enterprises in particular many customers feel helplessly out of their depth with the topics of data protection, compliance and the legally required IT security, and in their invitations to tender expressly ask about proof that the provider has a high level of expertise," explains Felix Höger, executive board member of Pironet NDH AG and Managing Director of Pironet NDH Datacenter. "With the new certification we are docu-menting the operative excellence in our processes and that we handle our customers' data responsibly and are thus able to stand out clearly from less-qualified IT service providers."
Felix Höger advises companies which are potentially interested in outsourcing to pay particular attention to the topic of information security. Some IT service providers try to attract business with certificates and qualifications which sound similar or baulk at the great effort involved in introducing an extensive ISMS and consequently have only a limited part of their service offering officially certified, and this is, as a rule, simply not relevant for most of their customers. Outsourcing customers should therefore always examine certificates critically and up front.
Management system for the entire company
"Software as a Service at Pironet NDH is, however, by definition characterised by holistic service performance and comprehensive security solutions, and the scope of our certification is therefore also extensive and covers the entire company," adds Dr. Clemens Plieth, Managing Director Service Delivery at Pironet NDH Datacenter. "For this reason our ISMS includes both physical and logical security in our data centres and the precautionary organisational measures for handling customer data, through to logging and archiving all operations which are relevant to security with a full audit trail."
For customers the ISO-27001 certification means compliance with clearly defined technical and security-related standards and thus the defined Service Levels of Pironet NDH Datacenter. New findings are integrated into the management system on an ongoing basis in order to continuously tailor the security to changed conditions.
Further information: DIN ISO/IEC 27001
DIN ISO/IEC 27001 is an international standard for IT security management. The standard contains information on some 130 measures, explains what they do and provides instructions on how they must be implemented. It enables organisations to measure their information security and to audit their ISMS internally themselves or to have their security status checked by an independent third party who awards the ISO 27001 certification. The ISMS consists of the elements security policy, security organisation, classification and monitoring of the systems and inventories, personnel security, physical and environment-related security, management of communications and operating procedures, access monitoring, system development and maintenance (change management), incident management, business continuity planning and compliance with the obligations.
Further information: Important aspects of DIN ISO/IEC 27001
- Information security guideline
The management must actively support information security within the organisation. It must approve an information security guideline, publish it and inform all employees and the relevant external parties of it.
- Checking the information security
The handling and implementation of information security must be checked at regular intervals by an independent party by means of audits.
- Security when dealing with customers
All identified security requirements must be complied with before a customer is granted access to the organisation's information.
- Raising awareness and training for information security
Appropriate measures must be taken to raise the awareness of all employees with respect to information security, and staff must be informed regularly of internal regulations.
- Access control
Security areas must be protected by appropriate access controls.
- Documented processes
The information processing facility must document operating processes.
- Distribution of responsibilities
The information processing facility must distribute duties and areas of responsibility.
- Distribution of development, test and productive facilities
Development, test and productive facilities must be separated in order to prevent the risk of unauthorised access or changes to the productive system.
- Monitoring and checking the services of third parties
Services, reports and records supplied by third parties must be regularly monitored and checked; audits should be performed regularly.
- Audit logs
Audit logs must be created in which user activities, errors and information security incidents are recorded.
- Reporting of IT security leaks
Information security incidents must be reported as quickly as possible over the appropriate management channels.
- Securing business operations
A controlled process for securing business operations must be developed and maintained throughout the company.
