Google Apps For Business Gets ISO 27001 Certification
Google announced on May 28, 2012 that its Google Apps for Business service has earned ISO 27001 certification; Google is following the standard ISO information security management protocols and best practices “for the systems, technology, processes and data centers serving Google Apps for Business.”
The importance of this particular certification is to assure users that Goggle cloud solutions are “safe”.
ISO 27001 was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council. Google also conducts other third party audits including SSAE 16 / ISAE 3402, which is comparable to ISO 27001.
"ISO 27001 is one of the most widely recognized, internationally accepted independent security standards and we have earned it for the systems, technology, processes and data centers serving Google Apps for Business," wrote Eran Feigenbaum, director of security for Google's enterprise business line.
However, ISO 27001 certification is not a guarantee. The way it works is that Google defines what it feels are appropriate guidelines and the third party certifies that they can meet them. Obviously, the third parties help Google determine what those guidelines and thresholds are, but it can vary from one enterprise to another.
Google’s Eran Feigenbaum, the company’s director of security for its Google Enterprise group, believes that “businesses are beginning to realize that companies like Google can invest in security at a scale that’s difficult for many businesses to achieve on their own.”
Another security and certification expert, Dave Anders, CEO and managing partner at Phoenix-based SecuraStar Information Security, said that Google’s ISO 27001 certification covers its systems, applications, people, technology processes and datacenters using Google Apps for Business. "What they are now telling the world is they have reasonable validation."
Anders said, "It doesn't mean they won't have a break-in or loss of confidentiality, integrity and availability, which is the three-risk components in ISO 27001, but they're saying they have reasonable assurance that they've put a value on risk and they are addressing that value on risk to mitigate it with controls and that somebody has checked it, that's their reasonable assurance."
Google obtaining ISO 27001 certification demonstrates that they are serious about being a cloud service provider by having the appropriate controls, systems and processes in place. While ISO 27001 does not guarantee 100% security, it is currently the industry standard. It is also understood that there is a lot of effort involved in obtained this level of certification, especially when network, applications and datacenter are taken together.
Microsoft, Google Apps direct competitor, with Office 365, claims to have obtained the first ISO 27001 certification. Microsoft also has EU Safe Harbor certification and has signed the HIPAA-Business Associate Agreement.
Call to Action
IT Executives should view both Microsoft and Google as leading the way towards providing safe and secure cloud service environments. As such, it makes sense for IT executives to expect the same level of security certifications from other cloud providers as well.
In addition, these articles also mirror the observation that Microsoft and Google are actively competing in the cloud provider market.
- Frederic Lardinois, techcrunch.com/2012/05/28/google-apps-for-business-iso-27001-certification/
- Jeffrey Schwartz, rcpmag.com/blogs/the-schwartz-cloud-report/2012/05/google-apps-gains-iso-27001-security-certification.aspx
- The Office 365 Trust Center, www.microsoft.com/en-us/office365/trust-center.aspx