Recently Sumo Logic secured ISO 27001 Certification and CSA Star Certification, further demonstrating not only our commitment to security and compliance, but also providing customers with the highest level of compliance certifications to secure data in the cloud.
ISO/IEC 27001:2013 is the international standard for information security management, which specifies 14 security control clauses and 144 security controls designed to protect the confidentiality, integrity and availability of information. It is important to note that ISO 27001 requires active involvement of executive team insecurity and compliance activities and puts emphasis on demonstrating continuous improvement.
CSA Star is a rigorous assessment of cloud specific security controls and processes. The certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix specific to cloud security controls, mapped to leading standards, best practices and regulations. While some cloud providers complete a self-assessment, Sumo Logic engaged BrightLine CPAs to conduct an independent audit.
How did we do it?
I’ve been often asked what does it take to obtain ISO 27001 certification and how much time and effort is required. The answer is it depends on your existing security posture.
ISO certification process itself is very involved and requires completion of the following tasks:
- Obtaining buy-in from the executive team – This goes beyond obtaining budget for the audit. ISO 27001 requires that the executive team is actively involved in security management process and enforcing of security controls in their respective teams.
- Completing gap assessment – Identifying security controls that are already in place and the ones that either have to be implemented or improved.
- Implementing of ISO controls based on the results of the gap assessment.
- Educating and training employees – ISO 27001 program requires that all employees understand their involvement in individual controls and contribution to continuous improvement.
- Completing documentation – ISO 27001 certification requires extensivedocumentation addressing all relevant millstones and individual controls. This forms the criteria the company is measured against to meet the ISO standard.
- Completing an internal audit, which has to be performed by an independent auditor.
- Passing Phase I and Phase II audits – These are certification audits are performed by an independent assessor who upon successful completion of audits (without any nonconformities) issue a certificate stating that the business is meeting the ISO 27001 controls and requirements.
These certifications are a huge milestone for any company, but the fact that we have architected the Sumo Logic platform with security in mind, makes it a bit easier. Our industry-leading includes a rigorous security model with an end-to-end process, which includes best-of-breed technologies and stringent operational processes, enabling us to provide our customers with the ability to operate and innovate with confidence and security in the cloud.