One of my law firm clients asked me the other day whether, in the eDiscovery arena, it is critical that vendors have an ISO27001 certification to ensure the best protection of client data. She said her firm has historically asked its vendors to provide SAS 70 Type II audit reports and now its replacement, SSAE 16, regarding data security (particularly focusing on data centers). She was only recently made aware of ISO27001 by one of her clients. Since this is the fourth time in the past three months I have received this inquiry, I thought it appropriate to blog about it.
If security is the bottom line, in my opinion, there is a big difference between SSAE 16 and ISO 27001. Simply stated, SSAE 16 provides certain assurances regarding controls for service organizations including security and technology testing whereas ISO 27001 is entirely devoted to security and adhering to the formal set of standards pertaining to its information security management system (ISMS). To be ISO 27001 certified, this system is scrutinized (internally and externally audited) for security risks. Protections must be uniformly implemented to minimize those risks across the entire ISMS.
ISO 27001 extends well beyond basic IT network and application security. It is a comprehensive management process where activities are monitored and enforced on a daily basis and potential deficiencies are identified for continual improvement of the process. This process involves strong awareness by everyone within the organization of their data security obligations and the effort to strive for better information security. In eDiscovery, it is common for data to be transferred, manipulated and managed outside the firewall by multiple parties (or even sub-groups within that same entity). Each transfer creates additional risk to security and greater complexity in managing this problem. Having this level of certification, as I told her, should provide the highest level of relief and comfort to any organization concerned about the security of its data.