ISO 27001 for a Hosting Provider

[griffo]

I'm helping a very small hosting service provider with their ISMS - ISO 27001:2013. I am at the beginning of the project, but am trying to foresee any potential obstacles/challenges. One of them is how should I treat this provider's clients' assets, e.g. their SaaS and PaaS instances like VMware images, mailing systems, etc.? Should I care about them at all or would it be enough to encompass all the contracts and NDAs this cloud provider has with their clients?

To spice a bit more, the provider does not have a data centre of their own, but rather uses some floor space in one big DC.

 

[Richard Regalado]

Hi griffo. Maybe I can help. I have handled 2 large data centers for their ISMS and other compliance requirements.

What is your client's contractual commitment to their customers? Are they just providing rack space, physical access and connectivity? If yes, then you just have to focus on the "A" aspect of the CIA triumvirate. The confidentiality and reliability of the information and systems running on the servers would be on the customers' lookout.

If not, what else is being required from your client?

Looking at the NDAs and contracts and understanding the various commitments are good first steps in your project.

 

[griffo]

Hello Richard, thank you for your quick response.

My client is not just a bare provider of rack space, physical and logical connectivity. They provide several cloud services, from provisioning a single virtual server so that their customers can install anything their businesses require, to web servers, to applications in the cloud like office and messaging applications.
Your point helped me to realise that it will be more than just the "A" part of the triad.

And since I'm going to conduct RA through classical asset-based approach, what would you suggest to be the finest granularity in such highly virtualised eco-system? I mean, it could stop at the VM level, or it could roll all the way down to separate virtualised items that I'm not even aware of. I will certainly want to stop the ball at the right moment during the interviews because when imagination takes off RA can become a real monster.

 

[Richard Regalado]

I would do it down to the VM-level.

As you said and as Donald Rumsfeld put it, there are "unknown unknowns" out there. Don't go down that road mate.

True that RA can be overwhelming. I'm glad you are setting the breadth and depth before jumping right on it.

Good luck!