ISO 27001: Should You Expect it From Your API Vendors?
ISO 27001 is a way for companies to prove a certain standard of security to their customers. You may recognize ISO as the standards body that issues international standards and classifiers for all kinds of products and services, including date and time standards, country and currency codes, and structural systems—like the ones we’ll be discussing in this article.
ISO 27001, also known as ISO/IEC 27001, is widely used by organizations to develop an information security management system (ISMS). Independent auditors then assess how well a company meets the standard, and issue a certificate of compliance. In this article we’ll explore the standard in detail and look at how it affects the vendors and web service providers that your organization relies on.
What is ISO/EIC 27001?
ISO/EIC 27001 is a joint standard originally published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (EIC) in 2005, and then revised in 2013. It is not a regulation, but rather a standard that organizations can choose to comply with. The processes used to meet the standard can help organizations meet various international regulations, but that isn’t the primary goal. Organizations can then choose to be audited and certified in order to show their compliance with the standard. While it is a joint standard, it is most commonly known as ISO 27001.
The standard is centered around the practice of establishing an information security management system, or ISMS. One difference between ISO 27001 and other standards related to ISMSs is ISO 27001 provides the specification for an ISMS, but not specific guidance or best practices for the controls used in the ISMS. Other standards in the ISO 27000 family can help with that.
An ISMS describes and demonstrates how an organization handles information security. It includes details on the processes, people, and technology involved in the protection and management of information within the organization. The ISO 27001 system puts emphasis on risk management and analysis as part of the specification.
It does this through security controls. Any process or service used to detect security problems, prevent data loss, counteract security risk, and protect systems can be considered a security control. The ISO 27001 ISMS, for example, has 114 best-practice controls in annex A of the standard. These can affect all parts of the organization, and include things like:
- Physical access controls for datacenters such as access cards, locks, surveillance cameras, etc.
- Staff awareness programs and policies on how to access data, who can access data, and what should be done in the event of improper handling of data.
- Encryption expectations and procedures for both data storage and transmission.
- Threat monitoring systems for detecting or predicting security threats and breaches.
An ISMS will often have controls dedicated toward data privacy and data integrity, which makes it pair nicely with many international laws such as the General Data Protection Regulation (GDPR) and the Privacy Act 2020.
Organizations planning for ISO 27001 certification will compare their existing system to the ISMS specifications, fill in any gaps, and if they choose not to implement any part they need to document why a requirement isn’t applicable.
Benefits of an ISO 27001 compliance ISMS
An information security management system focuses an organization’s security efforts. In addition to complying with laws and regulations, an ISMS can achieve the following:
- ISO 27001 is industry agnostic. It can set the baseline for any company’s security efforts, and be enhanced by other standards in the 27000 family.
- Provides cost-effective strategies for managing risks. The ISMS emphasises risk assessment and risk analysis, which means organizations can focus their spending on the most vital areas.
- Protects the confidentiality of data by outlining policies and procedures that ensure confidentiality.
- Affects the entire organization, not just the IT department. This protects against data-leaks in engineering-adjacent departments and through areas like human resources. It allows all departments to be part of the information security initiative.
- Secures both physical and digital information, whether the data is locally housed or lives in cloud hosting.
- Provides an adaptive system that can change as the organization changes, and as new threats arise.
These are only a few of the benefits. The largest is peace of a mind. With an ISMS in place, organizations can know they have done their due diligence in preparing for threats and ensuring systems are in place to avoid and protect against them.
Other standards in the ISO 27000 family
When evaluating vendors for compliance and security certifications, you’ll likely come across a variety of ISO 27000-level standards. While 27001 specifies the main requirements for an information security management system, the family of standards offers details for individual industries, specific practices for information security controls, and specific practices for cloud service providers.
Here are a few common ISO 27000 standards you’ll see when assessing API and SaaS providers:
- ISO 27001: The standard talked about in this article. Sets requirements for an Information Security Management System.
- ISO 27002: Code of practice for information security controls. These are guidelines for selecting, implementing, and managing controls for an organization’s risk environments.
- ISO 27017: Gives guidelines for implementing the ISO 27002 control guidance for cloud service providers and cloud service customers. With the emphasis on cloud, this standard often appears when assessing API providers.
- ISO 27018: Best practices for protecting personally identifiable information (PII) in cloud environments where cloud providers act as PII processors.
In many cases, each ISO standard in the 27000 family enhances the 27001 processes. For API providers, ISO 27017 and 20718 are particularly impactful as they deal directly with cloud platforms and PII data. You’ll see them listed by the big cloud providers like Google Cloud Platform (GCP), Amazon Web Services (AWS), and Microsoft Azure along with many single-service SaaS providers.
How ISO 27001 compliance by your vendors affects you
Any non-regulatory compliance standard can benefit the organization implementing it, but it can also be used as a sales tool. API providers that deal with your data, and more specifically your customers' data, should be held to a higher standard than providers used for other data.
This is why the ISO 27000 family of standards is so popular with cloud service and API providers. Not only does it help you know they are taking the appropriate steps to secure their systems and data, but it also ensures all customer data is protected. At Bearer, we want our customers to focus on assessing the risks of third-party APIs, so they can use them more confidently. Compliance standards like ISO 27001, ISO 27017, and ISO 27018 help organizations do just that.
You can find out if your vendors are ISO 27001 compliant by reaching out to them directly or reviewing their security and compliance pages. Incorporating compliance expectations, like ISO 27001 certification, into your organization’s API governance strategy can ensure that both you and your customers are protected from data security risks.