ISO 27001 audit of data centers: between SSI maturity and guaranteed availability
Is an ISO 27001-certified company guaranteed against data leakage?
It's a common misconception, but the answer is no. ISO 27001 certification does not guarantee that there will be no data leakage. It is, above all, a guarantee of maturity in ISS (Information Systems Security).
In concrete terms, this means that the certified organization is aware of the risks and issues related to information security. But it's not an absolute guarantee of technical security at any given moment.
You often work in data centers. What are the specific features of these environments, particularly with regard to the HDS (Health Data Hosting) standard?
A data center takes a special approach, because it's first and foremost a physical hosting facility. The HDS issue is therefore less focused on the logical security of information than on safety.
HDS certification, which is mandatory for hosting healthcare data, requires an ISO 27001 base. But in the field, for data centers, HDS mainly validates the implementation of rigorous security elements, such as physical access control.
Beyond this physical security, a Data Center has an obligation of result towards its customers. How does the ISO 27001 audit address this?
This is a key point. When an ISO 27001 Data Center is audited, the structure provides, in addition to safety, a guarantee of the availability of the services it offers: cooling, ventilation, energy, fire safety...
It is essential for the auditing organization to be able to verify the auditee's ability to maintain this level of availability. This is usually formally mentioned in customer contracts, most often through SLAs (Service Level Agreements). To verify this during the audit, the auditor focuses on three specific technical issues:
- Equipment redundancy
- PCA / PRA / PUPA (Plan de Continuité / Reprise d'Activité and Plan d'Urgence de Poursuite d'Activité)
- Installation maintenance.
These verifications seem quite onerous. How does the auditor manage to be relevant to such vast subjects in such a short space of time?
Auditing is a time-constrained exercise. The approach is based on two pillars: sampling and the ability of the auditee to prove his or her claims (the evidence-based approach).
On a global level, the success of a compliance audit depends on the auditor's ability to quickly identify the auditee's specific activities and needs.
It is this ability that enables us to ensure the relevance of the organizational and technical controls we carry out throughout the audit.
You mentioned physical security. Should access be tested "like an attacker"?
No, not "like an attacker", that would require formal authorization and supervision.
However, physical access control systems must be systematically checked. This is necessary because these systems are often technically vulnerable. There are now over-the-counter devices that enable brute-force attacks on access badges.
The auditor uses discreet tools to check the robustness of the technology used on these systems. If the system is poorly protected, someone could gain entry without presenting a legitimate badge. Building IT systems (BMS/GTB) also need to be checked, as an attacker could trigger a fire alarm via the network to force doors open.
In conclusion, how do you compare the ISO 27001 audit with technical intrusion testing?
They are two complementary levels. ISO 27001 validates organization and maturity.
To guarantee a real level of technical security, we need to carry out a specific technical audit (pentests) which will identify vulnerabilities and propose remedial actions.
These tests are carried out by firms qualified by the ANSSI: the PASSI. At LSTI, we are the organization that evaluates and qualifies (along with ANSSI) these PASSI firms. In this way, we cover the chain of trust from end to end.