Read more, read everything at Google Apps receives ISO 27001 security certification – ComputerworldUK.com.
UPDATE: The Google Announcement arrives!
My commentary for the above, in full:
ISO27001 is good to see stamped upon a vendor’s product and business processes – however it is emphatically not a “seal of security approval” – not at all.
The promise of 27001 certification is that a vendor has considered and documented various security risks and threats which would impact their offering – and has established a process to continue this in an ongoing fashion – and then has had the documentation of that understanding cross-checked and validated by an external agency.
In sporting metaphor: a vendor (in this case, Google) gets to design their own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it; and then they jump over it and the certification agency simply attests that they have successfully performed a high-jump over a bar of their own design. The design documents and jump technique do not need to be made public.
So what would be really interesting would be if Google publishes their security requirements, their standards, their policies and risk assessments, so everyone else can see what kind of high-jump they have just performed – how high, how hard, and landing upon what kind of mat?
It would be that which would inform me of how far I would trust Google Apps with sensitive data, most especially with regard to the provisions they must make for “lawful access” to data by government actors.
I would love to see Google take a lead in transparency of its security processes – not least so that others may learn from them, eg: its exemplary approach regarding data destruction.
Leave a Reply