OneNet Leads The Way With ISO27001 Certification
OneNet is the first New Zealand cloud service provider to be awarded ISO27001 certification. This is in recognition of the cloud computing firm's compliance with the most widely recognised information security standard of the ISO/IEC 27000 group. ISO27001 sets the parameters for establishing an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure.
New Zealand businesses have widely adopted a 'cloud-first' strategy, best exhibited by the majority of companies who have chosen the cloud as their primary source of IT. The large-scale migration of workloads to the cloud has exposed security vulnerabilities for many New Zealand businesses. In CERT NZ’s 2018 Q3 report, cybersecurity incidents were higher than in any previous quarter.
OneNet’s Chief Security Officer, Brendan Laing, praised New Zealand businesses for their embrace of cloud computing but stated that cyber-attacks and privacy breaches are becoming increasingly prevalent headlines in media outlets from both New Zealand and abroad. He explained that, as a cloud computing provider, we see our industry as a bit of a double-edged sword in terms of being both a solution and a threat to cybersecurity. Therefore, business leaders globally look to ISO27001 as a framework to actively manage information security.
The International Organisation for Standardisation (ISO) is responsible for developing the standards, but is not involved in the certification. The certification is performed by an accredited independent certification body. Organisations seeking ISO27001 certification must comply with the requirements which are identified throughout ten sections of the standard. The scope of the standard includes people, processes, information technology systems and their wider significance to the risk management process.
OneNet’s key commercial driver for undergoing the rigorous and expensive process to obtain ISO27001 certification was a desire for transparency around security processes.
Laing further explained that one common theme emerging from the data breaches we hear about is the belief of victims that their security processes and those of their suppliers were adequate. He stated that when the breach occurs, the vulnerabilities show and, by that stage, it is too late.
OneNet not only wants to tell its clients that their data is safe. they also want to show them that it is being actively managed and protected. Having ISO27001 certification provides concrete evidence that OneNet's processes are aligned with internationally recognised and independently verified standards.
When asked what is next for OneNet in the security space, Laing responded that there is not too much room to stop for a “breather”, as ISO27001 is an information security management standard. OneNet is constantly monitoring and improving its internal processes, as well as undergoing annual external audits to ensure it is still meeting the requirements.
Laing encourages New Zealand-based cloud computing providers to come and take a seat at the table when it comes to security regulations. He stated that the New Zealand cloud computing market is not heavily regulated compared to other countries in terms of compliance and, accordingly, security threat awareness is low. There is a preconceived notion that “we're too small to be hacked”. After 20 plus years in the cloud computing industry, OneNet has seen, all too often, where a 'she'll be right' attitude takes you.