We announced the successful completion of our first SAS 70 Type II audit just about a year ago. Earlier this year I talked about an application that had successfully completed the FISMA Low assessment and then received the necessary Authority to Operate.
Today I am happy to announce that we have been awarded ISO 27001 certification.
The full name of this certification is "ISO/IEC 27001:2005 - Information technology — Security techniques — Information security management systems — Requirements." This is a comprehensive international standard and one that should be of special interest to customers from an information security perspective. SAS 70, a third party opinion on how well our controls are functioning, is often thought of as showing "depth" of security and controls because there's a thorough investigation and testing of each defined control. ISO 27001, on the other hand, shows a lot of "breadth" because it covers a comprehensive range of well recognized information security objectives. Together, SAS 70 and ISO 27001 should give you a lot of confidence in the strength and maturity of our operating practices and procedures over information security.
We receive requests for many different types of reports and certifications and we are doing our best to prioritize and to respond to as many of them as possible. Please let me know (comments are fine) which certifications would let you make even better use of AWS.
Relevant AWS jobs include:
-- Jeff;
Something I hear quite often is concerns about PCI compliance. I know there are issues here (e.g., the "on-site audit" requirement for level 1) but if Amazon can find some way to solve these I think it will be a very big deal.
Or we could all use Amazon FPS, of course... but Amazon needs to make it available internationally before that's an option.
Posted by: Colin Percival | November 16, 2010 at 10:34 AM
Congratulations on getting this certification. The timing of this for me and my company couldn't be better.
Posted by: Barry Cronin | November 16, 2010 at 10:43 AM
Some clarification on what the current situation with PCI-DSS is, and what your plans are to assist customers in being able to deploy systems which handle information which falls under its remit would be appreciated.
Posted by: Adam Auden | November 16, 2010 at 10:53 AM
To be honest, we need you to offer an England data centre. Our app is perfect for scaling out into the cloud but our customers' data must be held within the legal borders of England for data protection reasons. We're not even allowed to use LogMeIn to connect to customer's sites for support reasons - because that connectivity would go through America.
Provide facilities to launch a cloud in London and beat Rackspace to it!
Posted by: James | November 16, 2010 at 12:30 PM
Congratulation on this achievement!
Do you plan to publish the Information Security Policy, the scope including sites and the statement of applicability (SOA) ?
Posted by: BDicaire | November 17, 2010 at 01:17 PM
> Do you plan to publish the Information Security Policy, the scope including sites and the statement of applicability (SOA) ?
We do plan to publish additional information on our ISO 27001 certification.
Posted by: Jeff Barr | November 19, 2010 at 11:05 AM
Congratulations on 27001. Will you provide info on ISO 27002? What 27002 controls did you evaluate as part of of the ISMS? Thanks.
Posted by: Ted Ritter | November 22, 2010 at 05:06 AM
Ted, here's what our team has to say:
"We don’t disclose every control we have in place, but of course we did consider all relevant guidance documented in 27002 as applicable to our scope covering AWS infrastructure, data centers, and services including EC2, S3, and VPC. As part of the certification process our auditors validated that we addressed all aspects of the 27002 guidance appropriate for our systems and services."
Posted by: Jeff Barr | November 22, 2010 at 09:00 AM