Google has announced that Google Apps for Business has earned ISO 27001 certification in a move welcomed by analysts...
and the UK cloud computing industry.
Google hopes the widely recognised, internationally accepted independent information security standard will help spur adoption of the cloud-based service.
Google said it had earned the certification for the systems, technology, processes and datacentres serving Google Apps for Business.
"It verifies and certifies the security and data protections we have in place for that set of applications," said Adam Swidler, the product marketing manager for security for Google Apps for Business.
The ISO 27001 compliance was certified by Ernst & Young's CertifyPoint, which is accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF).
This means certificates issued by CertifyPoint are recognised as valid certificates in all countries with an IAF member, including the UK, US, France, Germany, Italy, Spain and Sweden.
Preparation for the certification kicked off about nine months ago, with the audit and certification process starting about three months later, Swidler told Computer Weekly.
"But, no process or technology changes were needed because we are already compliant with the US Federal Information Security Management Act (FISMA), which is patterned on ISO 27001," he said.
However, the process meant Google had to go through all its sub-processors and collect all that information into a single comprehensive list for auditors.
Prior to the ISO 27001 certification, Google customers – who cannot audit Google directly – had to rely on SAS 70 audits, which were superseded by the SSAE 16 and ISAE 3402 audits.
"Whereas the SSAE audits are based on supplier-specified security controls that varied from supplier to supplier, with ISO 27001, all suppliers are audited using the same set of controls," said Swidler.
While the SSAE and ISAE audits were valuable to Google, he said, there is always a desire to have a more common standard set of certifications, with ISO 27001 emerging as something prospective customers in different parts of the world are seeking.
"It has been a fairly common request that we provide ISO 27001 certification, especially for companies in Europe as well as the Asia-Pacific region," said Swidler.
He believes the ISO certification to help businesses that previously would have been required to do a deeper level of due diligence to satisfy security requirements, to move more quickly into the adoption phase of evaluating the features, functions and business benefit.
The tide is beginning to turn, said Swidler, from the early days of cloud computing when security was typically a top concern, to security now becoming a driver for adoption, particularly in the medium-sized businesses that do not have the resources to achieve ISO 27001 certification on their own.
Ian Osborne, chair of the Cloud Industry Forum (CIF) standards sub-committee said ISO 27001 is one of a few important international standards that can genuinely be seen to benefit cloud service providers aiming to establish themselves in the marketplace.
"This standard deals with information security management, and compliance with ISO 27001, covering the scope of business activities required, can provide genuine reassurance to users of the cloud that their data will be secured and managed to a high industry standard," he said.
Because ISO 27001 originated in the UK as BS7799, said Osborne, the government also recognises this and compliance may well become a de facto requirement for vendors wishing to market their services into the public sector.
“As an industry body, CIF welcomes any commitment to standards by vendors and recognises their role in building trust between vendors and end-users," he said.
In 2010, CIF published a code of practice aimed at promoting the adoption of cloud-based services.
“We are working to identify key areas of the CIF Code of Practice where international standards can add benefit, and will shortly make this information available to guide applicants in their planning towards certification," said Osborne.
Analyst firm Ovum has welcomed the move by Google in light of the increasing need for organisations to report security breaches that could affect the performance or standing of the company.
"Ovum is pleased to hear that Google Apps for Business has obtained ISO 27001 certification, meaning that information security management is now explicitly under management control and not just an IT function," said Richard Edwards, principal analyst.
If the information security management or compliance strategies of an organisation do not extend to cloud services and the vendors providing these document and file storage services, then companies might find their most useful, and indeed valuable, information is put at risk, he said.
“Quantifying this risk of storing information in the cloud versus on premise is very difficult, and so most business managers are tending to turn a blind-eye and pretend that it is of little consequence," said Edwards.
"Ovum hopes that Google’s nod to best practice will encourage other information management cloud services vendors and their customers to pay more attention to this important aspect of corporate governance," he said.