ISO 27001 Compliance¶
ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls. The basis of this certification is the development and implementation of a suitable Information Security Management System (ISMS), which defines how GARR manages security and data protection. The certification process verifies that GARR does the following:
- evaluatie the information security risks of the cloud services, taking into account the impact of threats and vulnerabilities.
- implement a comprehensive set of information security controls and other forms of risk management to address customer and architecture security risks.
- perform periodic checks that the information security controls meet the requirements.
ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers.
ISO/IEC 27018:2019 is a code of practice that focuses on protection of personal data in the cloud. It is based on ISO/IEC information security standard 27002 and provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud Personally Identifiable Information (PII). The GARR Cloud Platform delegates authentication to the Identity Providers of the user own organization, therefore it does not hold PII.