Editor’s note: This is the first of a three-part series designed to address general compliance topics and to answer frequently asked compliance questions.
How many times have you been asked by a customer if SoftLayer is ISO compliant? Do you ever find yourself struggling for an immediate answer? If so, you're not alone.
ISO stands for International Organization for Standardization. The organization has published more than 19,000 international standards, covering almost all aspects of technology and business. If you have any questions about a specific ISO standard, you can search the ISO website. If you would like the full details of any ISO standard, an online copy of the standard can be purchased through their website.
SoftLayer holds three ISO certifications, and we’re going after more. We offer industry standard best security practices relating to cloud infrastructure, including:
ISO/IEC 27001: This certification covers the information security management process. It certifies that SoftLayer offers best security practices in the industry relating to cloud infrastructure as a service (IaaS). Going through this process and obtaining certification means that SoftLayer observes industry best practices in offering a safe and secure place to live in the cloud. It also means that our information security management practices adhere to strict, internationally recognized best practices.
ISO/IEC 27018: This certifies that SoftLayer follows the most stringent code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. It establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. While not all of SoftLayer is public and while we have very distinct definitions for processing PII for customers, we decided to obtain the certification to solidify our security and privacy principles as robust.
ISO/IEC 27017: This is a code of practice for information security controls for cloud services. It’s the global standard for cloud security practices—not only for what SoftLayer should do, but also for what our customers should do to protect information. SoftLayer’s ISO 27017 certification demonstrates our continued commitment to upholding the highest, most secure information security controls and applying them effectively and efficiently to our cloud infrastructure environment. The standard provides guidance in, but not limited to, the following areas:
- Information Security
- Human Resources
- Asset Management
- Access Control
- Physical and Environmental Security
- Operations Security
- Communications Security
- System Acquisition, Development & Maintenance
- Supplier Relations
- Incident Management
- Business Continuity Management
- Network Security
How can SoftLayer’s ISO certification benefit me as a customer?
Customers can leverage SoftLayer’s certifications as long as it’s done in the proper manner. Customers cannot claim that they’re ISO certified just because they’re using SoftLayer infrastructure. That’s not how it works. SoftLayer’s ISO certifications may make it easier for customers to become certified because they can leverage our certification for the SoftLayer boundary. Our SOC2 report (available through our customer portal or sales team) describes our boundary in greater detail: the customers are not responsible for certifying what’s inside SoftLayer’s boundary.
How does SoftLayer prove its ISO compliance?
SoftLayer’s ISO Certificates of Registration are publicly available on our website and on our third-party assessor’s website. By design, our ISO certificates denote that we conform to and meet all the applicable objectives of each standard. Since the ISO standards are steadfast and constant controls for everyone, we don’t offer our reports from the audits, but we can provide our certificates.
What SoftLayer data centers are applicable to the ISO certifications?
All of them! Each ISO certificate is applicable to every one of our data centers, in the U.S. and internationally. SoftLayer obtained ISO certifications on every one of our facilities because we operate with consistency across the globe. When a new SoftLayer data center comes online, there is some lag time between opening and certification because we need to be reviewed by our third-party assessor and have operational evidence available to support our data center certification. But as soon as we obtain the certifications, we’ll make them available.
Visit www.softlayer.com/compliance for a full list of our certifications and reports. They can also be found through the customer portal.