The Importance of ISO Certifications for Infrastructure Services

What are ISO certifications?

ISO stands for the International Organization for Standardization. ISO develops international standards which indicate that your product or service meets your customers’ expectations. However, they do not issue the actual ISO certifications. The certifications are performed by external certification bodies, as we will discuss later in this article.

Why the need for ISO standards?

From a client’s perspective, they choose an ISO-certified supplier for general trust and the reliability of the services provided. Clients need to work with reliable suppliers for different reasons, such as audited processes, documented processes, and other behind-the-scenes requirements that can be extra proof for professionalism and long-term stability. An ISO-certified supplier is thus more reliable than one who doesn’t have any ISO certifications. It is the same for other reputable certifications, like the SOC 2 Type II or PCS DSS.

From a supplier’s perspective, having ISO certifications in place leads to continuous improvement of the services offered. Another benefit is the presence of auditable processes; there is a significant difference between just having various internal processes and the processes that can be audited. Even more so, there are clear guidelines in place on how to audit these processes.

How do you get ISO certifications?

To get ISO-certified, you need to pass two audits:

• An internal audit which, despite its name, in our case it’s not led internally, but by an external qualified company;
• An external audit, led by an accredited certification body.

The internal audit is mandatory (required by the standard) and it verifies if all aspects of the code of practice are respected, while the external audit reviews the fulfilment of standard requirements including the internal audit and focuses more on each key business process.

Besides the general aspects, each ISO certification has its own checklists for both internal and external audits.

How long does it take to get ISO-certified?

Generally, for the first-ever certification, it takes between three months and a year and it depends on the number of business processes, their complexity and the specifics of each company that gets audited. As an SME IaaS business, the first time we got our 27001 certification (considering both internal and external audits) took about six months.

How difficult is it to get ISO-certified?

Getting an ISO certification requires a commitment, not only from top management but also from the entire company staff. Getting ISO-certified means that each employee is responsible for acting in a certain way. So, if the proper enforcement is not fully supported by top management, and from all other members of the company, getting ISO-certified is complicated. Besides, maintaining the ISO certifications might even become impossible.

It can be even more complex to get an ISO certification for larger organizations. To get certified and keep their certifications in place, they might require a lot more bureaucracy. As a small company and, generally, a small group, the difference lies in the training we’ve held for our employees for them to understand the importance of all these business processes. Another key element was the implementation of well-chosen information systems that helped us automate and rigorously check the majority of the ISO requirements on whenever an organizational change (e.g. employee leaving the company) would occur.

Which are the actual steps of getting ISO-certified?

These steps can be presented in various ways, and there are complete ISO methodologies describing these processes if you need to go into more detail. We will only show some key steps here.

For the internal audit, the steps are as follows:

Documenting the management system scope (internal and external context, interested parties and their expectations (including applicable legal requirements), processes etc.) and policy.

• Initial GAP analysis – it’s the first step in any audit process (ISO/SOC/etc.). It relates to the difference between what a company should cover in terms of measures and processes and what it actually does. The gap refers to establishing the measures for improvement, which are to be implemented on short, mid, and long-term;
• Training – includes the standard requirements and directives for their implementation;
• Risk assessment – asset inventory (including relevant quality, security information and service related assets), identification of threats and vulnerabilities affecting the assets (risk scenarios), impact and probability estimation, risk calculation and assessment, risk mitigation plan;
• Elaboration of necessary documented information – policies and procedures;
• Analysis of the applicable controls from the ISO code of practice – for each code of practice, there is a control measure (and its description), which can be active, inactive, or inapplicable;
• Review of each control and its implementation in order to complete the statement of applicability – during internal audit;
• Implement required and missing controls wherever necessary;
• Audit report, containing a complete list of improvements and a detailed plan;
• Management review of the results of implementation.

The external audit, made by a different certification body than the one that did the internal audit, has a few extra steps:

• Review of the internal audit report;
• Audit interviews with each key business process area owner;
• Audit report, containing a complete list of improvements and a detailed plan;
• If no nonconformities are being found, a full audit report is being filed for the certification body;
• If the certification body finds all documentation in accordance with the standard, the certifications are being issued.

Can you lose your ISO certifications? How?

Yes. This can happen when the certification body discovers nonconformities that are not fixed in a timely manner.

ISO certifications don’t last forever; what is the duration of ISO certifications? How does the renewal process work?

For the certifications we own, the renewal cycle takes place every three years, however, there is a surveillance audit every year.

The renewal audit follows the same process as getting the certification for the first time.

The surveillance audits focus mainly on reviewing the last year’s audit documentation and all significant organizational changes that took place since then.

Are there country-specific standards?

There can be, and the UK has actually been a source of inspiration for the ISO standards. Many of the so-known AS standards have been adapted to now be ISO ones.

G-Cloud per se is not a certification, but some companies see it similar to an audit due to the approval process that lies behind it. In reality, it is a selection process that the UK Government put in place for selecting reputable IT suppliers for both products and services for the UK market.

For our company, in order to finalize some key business deals in UK, it proved a requirement. As such, we have passed through this process several years in a row to get and maintain this status (G-Cloud provider).

What other types of standards are there?

There are a couple of different certifications available. For instance, the SOC 2 Type II was for us, as an IaaS company, another key certification we had to add to our stack when launching our business for the US market. While ISO has a good reputation in Europe, the SOC 2 Type II offers more credibility to US customers looking for our services.

Which ISO certifications are crucial for hosting and infrastructure services?

The way we looked at it was to cover everything related to security and data privacy. The most critical aspect of our business is hosting the customers’ data on our bare metal servers. That data needs to be accessible and secured 100% of the time. The ISO 27001, ISO 27017, and ISO 27018 help us in this regard.

The next aspect we looked at was the quality of our services, and this is how we chose ISO 20000 and ISO 9001.

Now, in the GDPR era, we are also looking at ISO 27701, which is the International Organization for Standardization’s effort to offer an auditable framework for the GDPR guidelines for which there was no certification schema in place before.

Which industries require an ISO-certified infrastructure provider?

I could not think of an industry that does not. All businesses hosted on our bare metal servers use them to process data. And as mentioned above, the availability and security of data are crucial for any business. Since the beginning of Bigstep, the requests for our ISO certificates came mainly from customers who, in turn, either already had ISO certifications for their companies or were in the process of getting them.

While it can help any business, for recruitment groups, media agencies, medical centers, booking platforms, any business with a membership system or that collects personal data (shops, food delivery applications), and so on, ISO-certified providers could be a default requirement. For some industries, getting certified might even be a legal or contractual requirement.

How can you check if your infrastructure provider is ISO-certified?

By asking the respective provider for the ISO certifications. This is the safest and most reliable way, by all means.

How often do customers inquire about our ISO certifications?

We get ISO-related enquiries every month. We hope that we managed to cover the most essential aspects of the ISO standards and certifications through this article.

What certifications does Bigstep have?

The security of our bare metal servers, facilities, and customer data, are backed up by the following certifications:

• ISO 27001
• ISO 27017
• ISO 27018
• ISO 20000
• ISO 9001

For more information on data security and privacy, take a look at our security overview, and if you have any questions regarding ISO certifications, let us know in the comment section.

About The Author:

With more than 15 years of experience in IT Project Management and R&D, Mihail Musat is an experienced trainer, author, and promoter. His expertise focuses on ISO certifications, and he currently serves as Director of Technical Operations at Bigstep.