Mimecast is preparing to go through our ISO 27001 certification at the moment and it struck me quite how different it is to certify as a cloud service vendor rather than as a traditional company.
Excuse my over simplification of the ISO 27001 process for those not involved in it, but effectively there are four stages:
1. Define the organization’s acceptable risk
2. Work out what risk the organization is exposed to
3. Apply controls to reduce the residual risk to a level at or below the acceptable risk
4. Rinse, repeat
A common method is to conduct a risk assessment, perhaps using the methodology covered in ISO 27001’s sister publication ISO 27005, and then apply controls to manage the identified risks from another sister publication ISO 27002.
