< compliance
CenturyLink is ISO 27001-certified in multiple data centers

ISO/IEC 27001:2013 Certified Data Centers

ISO 27001 Managed Services Program

ISO/IEC 27001:2013 is an International Standard that has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System. ISO stands for the International Organization for Standardization.

The standard requires that management:

  • Systematically examine the information security risk to the Hosting Business Unit (the ‘company’), taking account of the threats, vulnerabilities and impacts.
  • Design and Implement a coherent and comprehensive suite of information security control and/or other forms of risk treatment (risk avoidance or risk transfer) to address those risks that are deemed unacceptable.
  • Adopt an overarching management process to ensure that information security controls continue to meet the information security needs of the company on an on-going basis.

The primary benefit of ISO 27001 certification means that the company can demonstrate to existing and potential customers that effective information security processes have been defined and implemented thus creating a trust relationship.


This Information Security Management System (ISMS) Standard was created by the International Organization for Standardization (ISO) and governs the security of organizations' information assets. By selecting CenturyLink as your hosting provider, enterprises can take advantage of key security benefits and more easily meet their own IT compliance requirements and cybersecurity objectives.

Benefits of the ISO 27001 Standard

The Key Benefits of ISO 27001

  • Extension of the current quality system to include security
  • Provides an opportunity to identify and manage risks to key information and systems assets
  • Provides confidence and assurance to partners and clients
  • Can act as a market differentiator
  • Allows for an independent review and assurance to you on information security practices

Why Adopt ISO 27001?

A company may decide to adopt ISO 27001 for the following reasons:

  • Appropriate for protecting critical and sensitive information
  • Provides a holistic approach to secure information and compliance
  • Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
  • Demonstrates security status according to internationally accepted criteria
  • Creates a market differentiation due to prestige, image and external goodwill
  • ISO 27001 certification is accepted globally

Overview of the ISO 27001 Standard

ISO 27001 is the internationally recognized standard that outlines the requirements for constructing a risk-based framework to initiate, implement, maintain, and manage information security within an organization. The standard, based on the Plan-Do-Check-Act model, defines what an information security management system (ISMS) is, what must be included within the ISMS, and how management should form, monitor, and maintain the ISMS.

Certification depends entirely on the conformity of an organization’s ISMS to the ISO 27001 standard. The ISO 27000 suite of standards, available through ANSI, include the following:

  • ISO 27001 – Information Security Management Systems - Requirements
  • ISO 27002 – Code of Practice for Information Security Management
  • ISO 27003 – Information Security Management System Implementation Guidance
  • ISO 27004 – Information Security Management – Measurement
  • ISO 27005 – Information Security Risk Management

The Value of ISO 27001 Certification

The following are the primary value propositions of ISO 27001 certification:
Allows organizations to obtain independent assurance that their management system conforms to the requirements of an internationally recognized and accepted information security standard.
Meets requirements of customers who mandate conformance to ISO 27001 standards of practice.
Provides significant market advantage over competitors who don't have a certified ISMS.
Delivers cost savings by utilizing a centrally managed ISO 27001 certified ISMS to apply to various compliance efforts, including PCI compliance, HIPAA, Sarbanes-Oxley, and more


Preparing for and undergoing an ISO 27001 certification review can be broken down into the following phases.


The ISO 27001 standard does not prescribe a specific scope that is required to be defined for the purpose of the review. The scope of the ISMS is determined by the organization and can include a specific application or service of the organization or the organization as a whole.

The requirements of the standard, including the consideration of the control activities included within the ISO 27001 standard, are to be applied only to the scope of the ISMS under review, once defined. The certification, once issued, will specifically state the scope of the ISMS.

  1. Pre-Assessment

    A pre-assessment is not required but can assist organizations going through ISO 27001 certification for the first time. During the pre-assessment, it's customary to contract with an independent auditing firm to perform a high-level review of the organization’s scope statement, policies and procedures, and authorization processes. The purpose of this pre-assessment review is to identify gaps in the organization's conformity to ISO 27001.

    For a more thorough pre-assessment, or if the organization is still considering whether or not to undergo certification, the organization may consider a formal ISO 27001 readiness review, which can be provided by any number of independent assessor/auditor firms.

  2. Initial Certification Review – Stage 1

    The initial certification review consists of two stages. The first stage, typically performed onsite at the client location, consists of a policy and process review to determine the readiness of the ISMS framework to undergo the Stage 2 component of the initial certification review. This review would include inspection of all documents required in the standard.

  3. Initial Certification Review – Stage 2

    The second stage of the initial certification review includes in-depth testing to determine that the ISMS framework has been implemented, is monitored, and is maintained per the ISO 27001 standard requirements and per internal policies and procedures. This stage is performed at the client location, or multiple locations as may be required by the scope of the ISMS. The result of the second stage is the determination of whether the organization will be issued the ISO 27001 certificate.

  4. Surveillance Audits

    Once issued, ISO 27001 certificates are valid for a three-year term, during which time periodic surveillance audits must be completed. During a surveillance audit, an independent third-party firm will conduct a brief onsite review to determine if any material changes have been made to the ISMS. They will also perform limited testing to confirm that the organization is continuing to follow the framework and controls set forth in the ISMS and statement of applicability.

  5. ISO 27001 Audit and Certification Timing

    The timing of the overall ISO 27001 certification process is highly dependent on the maturity of the organization’s ISMS as well as its initial conformance to the ISO 27001 standard. Some organizations may be able to obtain certification within months of the beginning of the certification review, whereas others may require up to a year to obtain certification.

CenturyLink has received ISO/IEC 27001:2013 certification for Global Network Services and Managed Hosting Services in:

  • London (LO1, LO3, LO4, LO5, LO6, EMEA Winnersh Office Facility)
  • Singapore (SG2, SG8, Singapore Land Tower Office Facility)
  • Frankfurt (FR6, Frankfurt Westhafenplatz Office Facility).

Global Colocation Service Locations

  • Albuquerque (AB3)
  • Minneapolis (MP1)
  • Atlanta (AT1)
  • Montreal (MR1)
  • Bangalore, India (BLR2)
  • New Jersey (NJ1, NJ2, NJ2x, NJ3, NJ4, NJ5)
  • Boston (BO1, BO2, BO3)
  • Santa Clara (SC4, SC5, SC8, SC9, SN1)
  • Chicago (CH2, CH3, CH4)
  • Seattle (SE2, SE3, SE4)
  • Columbus (CL1)
  • St. Louis (SL1)
  • Dallas (DL1, DL2)
  • Tampa (TP1)
  • Washington DC (DC21,DC3, DC4, DC5, DC6, DC7)
  • Toronto (TR1, TR3)
  • Denver (DN1, DN2, DN3)
  • Vancouver (VC1)
  • Frankfurt, Germany (FR6)
  • United Kingdom (LO1, LO3, LO4, LO5, LO6)
  • Los Angeles (BR1, LA1, OC2)
  • Tokyo (TY6)

Map of data center locations.

Related Products

Cloud Services

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.