4 things to check in the IT security of your cloud services to avoid ISMS surprises

 The COVID-19 pandemic has been a real catalyst for accelerating certain business and economic trends. In the IT industry, this has included digitialization, facilitating remote working, and a growth in the use of  cloud services.  At the same time, companies still need to protect their sensitive data and comply with various data legislation.

What is an Information Security Management System (ISMS)?

An Information Security Management System (ISMS) refers to policies and procedures implemented in a company to ensure that its sensitive data is safe from security breaches.

A well-designed ISMS both minimizes risk and proactively limits the impact of any security breaches, should they still occur. A cornerstone of a company-wide risk management strategy, it seeks to minimise the disruption to a company which may occur through a security breach.

As well as utilising a number of technical security measures, another important aspect in an ISMS is to ensure that business processes and employee behavior don’t compromise sensitive data.

Where does ISMS fit in with GDPR and CCPA ?

An ISMS helps an organisation comply with various legislation – such as on data privacy – like the European GDPR (General Data Protection Regulations) or the California Consumer Privacy Act (CCPA), by ensuring the following:

1. Confidentiality: Data is not accessible by non-authorised people, entities or processes
2. Integrity: Data is complete, accurate and can’t be altered or corrupted
3. Availability: Data can only be accessed and used by authorised users

How does an ISMS relate to ISO 27001, Tisax and ISAE 3402 ?

Certification confirms that your ISMS has met a certain standard. Applying for this and implementing their various measures and controls can only benefit your IT security.

ISO 27001 is a framework for creating a best-practice ISMS, including recommendations, internal audits, documentation, continuous improvement, and corrective and preventive action.

TISAX® certification  (Trusted Information Security Assessment Exchange) ensures that your information security management system meet requirements specific to the automotive industry . It is essentially an effectiveness check of the ISO 27001 controls in the real world and those used in the automotive industry.

ISAE 3402 SOC 1 certification (International Standard on Assurance Engagements) is for providers of outsourced services and cloud-based operating processes to confirm the long-term effectiveness and the continuous improvement processes in their internal control system (ICS). The ICS protects all the information that is received, generated, distributed, archived and destroyed in the course of business activities in accordance with legal requirements, national and international standards, internal corporate standards and contractual obligations.

ISMS and Cloud Services

Setting up and running an ISMS in-house for your company’s network is no easy undertaking. Although it can be argued that it should be easy to align processes and policies as they both originate in-house, in reality, a number of companies augment their own IT infrastructure with cloud services from third parties.This leads to networks which contain a mix of internal and external services, which require a high level of governance to make sure that the external IT providers don’t undermine the level of information security you have implemented on premises.

What to look for when searching for an external cloud service to meet your own high ISMS standards:

1. During the information-gathering stage, check that potential providers have the necessary certifications required for your industry.
2. When talking to potential providers, ask pertinent questions such as:
   1. Can you give me a detailed explanation of your disaster recovery strategy
   2. How is the redundancy of datacenters tested?
   3. How were the physical locations of the data centers chosen; is there a specific strategy behind this, were there just historic or even random reasons behind the locations?
   4. Where exactly is the data stored, and do all these locations comply with both your own corporate data protection policy and relevant government legislation such as GDPR and CCPA Bear in mind that UK-based data center locations may no longer be suitable for companies operating in the EU under GDPR.
3. Check that the provider’s IT security measures are state of the art. It is worth specifically checking the presence and quality of the following:
   1. The processes behind a newly-launched service going live.
   2. Continous Monitoring of the productive systems and subsequent event management
   3. Incident Management
   4. Release Management
   5. Change Management
4. Does the provider go the extra mile in cyber security initiatives to reduce the risk of ransomware and hacking attacks or similar?

How SEEBURGER Cloud Services could support your ISMS

With our migration tools and cloud services we help you quickly and securely build better digital capabilitiesand accelerate your business. SEEBURGER has many years’ expertise in integration and international data exchange. We can help you integrate anything, and improve customer onboarding , so your processes work quickly and seamlessly, and any changes needed in the future can be made more easily.

And all of this can be deployed on-premises, in the cloud, or as a hybrid of the two. In the cloud, you can rely on the Certifications held by SEEBURGER which attest to the quality and security of our ISMS.

We do not yet know exactly how the current pandemic will affect and change our working lives in the long term.  We can see, however, that there have been changes across nearly every industry, and many of these changes will continue to require stringent IT security measures. The more you use cloud services as part of your IT operation, the more you need to learn how to govern the compliance being served by IT Cloud Services Providers.

Check what ISMS-relevant certifications your Cloud Service providers have, so you do not undermine your own standards.