ISO 27001 Managed Services Program
ISO/IEC 27001:2013 is an International Standard that has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System. ISO stands for the International Organization for Standardization.
The standard requires that management:
The primary benefit of ISO 27001 certification means that the company can demonstrate to existing and potential customers that effective information security processes have been defined and implemented thus creating a trust relationship.
This Information Security Management System (ISMS) Standard was created by the International Organization for Standardization (ISO) and governs the security of organizations' information assets. By selecting CenturyLink as your hosting provider, enterprises can take advantage of key security benefits and more easily meet their own IT compliance requirements and cybersecurity objectives.
A company may decide to adopt ISO 27001 for the following reasons:
ISO 27001 is the internationally recognized standard that outlines the requirements for constructing a risk-based framework to initiate, implement, maintain, and manage information security within an organization. The standard, based on the Plan-Do-Check-Act model, defines what an information security management system (ISMS) is, what must be included within the ISMS, and how management should form, monitor, and maintain the ISMS.
Certification depends entirely on the conformity of an organization’s ISMS to the ISO 27001 standard. The ISO 27000 suite of standards, available through ANSI, include the following:
The following are the primary value propositions of ISO 27001 certification:
Allows organizations to obtain independent assurance that their management system conforms to the requirements of an internationally recognized and accepted information security standard.
Meets requirements of customers who mandate conformance to ISO 27001 standards of practice.
Provides significant market advantage over competitors who don't have a certified ISMS.
Delivers cost savings by utilizing a centrally managed ISO 27001 certified ISMS to apply to various compliance efforts, including PCI compliance, HIPAA, Sarbanes-Oxley, and more
Preparing for and undergoing an ISO 27001 certification review can be broken down into the following phases.
The ISO 27001 standard does not prescribe a specific scope that is required to be defined for the purpose of the review. The scope of the ISMS is determined by the organization and can include a specific application or service of the organization or the organization as a whole.
The requirements of the standard, including the consideration of the control activities included within the ISO 27001 standard, are to be applied only to the scope of the ISMS under review, once defined. The certification, once issued, will specifically state the scope of the ISMS.
A pre-assessment is not required but can assist organizations going through ISO 27001 certification for the first time. During the pre-assessment, it's customary to contract with an independent auditing firm to perform a high-level review of the organization’s scope statement, policies and procedures, and authorization processes. The purpose of this pre-assessment review is to identify gaps in the organization's conformity to ISO 27001.
For a more thorough pre-assessment, or if the organization is still considering whether or not to undergo certification, the organization may consider a formal ISO 27001 readiness review, which can be provided by any number of independent assessor/auditor firms.
The initial certification review consists of two stages. The first stage, typically performed onsite at the client location, consists of a policy and process review to determine the readiness of the ISMS framework to undergo the Stage 2 component of the initial certification review. This review would include inspection of all documents required in the standard.
The second stage of the initial certification review includes in-depth testing to determine that the ISMS framework has been implemented, is monitored, and is maintained per the ISO 27001 standard requirements and per internal policies and procedures. This stage is performed at the client location, or multiple locations as may be required by the scope of the ISMS. The result of the second stage is the determination of whether the organization will be issued the ISO 27001 certificate.
Once issued, ISO 27001 certificates are valid for a three-year term, during which time periodic surveillance audits must be completed. During a surveillance audit, an independent third-party firm will conduct a brief onsite review to determine if any material changes have been made to the ISMS. They will also perform limited testing to confirm that the organization is continuing to follow the framework and controls set forth in the ISMS and statement of applicability.
The timing of the overall ISO 27001 certification process is highly dependent on the maturity of the organization’s ISMS as well as its initial conformance to the ISO 27001 standard. Some organizations may be able to obtain certification within months of the beginning of the certification review, whereas others may require up to a year to obtain certification.
CenturyLink has received ISO/IEC 27001:2013 certification for Global Network Services and Managed Hosting Services in:
Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.
Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.
A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.
Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.
Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.