We recently at Respond.io happily received our first compliance certification under the framework ISO 27001. This certification verifies your organization with the world’s best-known standard for information security management systems (ISMS), ensuring that the said organization has put in place a system to manage risks related to the security of data owned or handled by them.
As the person in charge of infrastructure security and one of the contributors on a small team leading this initiative, I would like to share a few tips for developers and DevOps enthusiasts who are less familiar with organizational compliance from a technical point of view.
If you are hosted on a major cloud provider this means that a lot of the heavy lifting is taken care of by your cloud provider, but does it mean you automatically own all the compliance certifications that they have achieved?
The answer, unfortunately, is no. According to the shared responsibility model (which most cloud providers follow), they are only partially responsible for the security of your system. They provide secure data centers, resilient networks, and encrypted communications. However, you are still responsible for enabling encryption, managing user access, configuring instances, and using secure software on your self managed infrastructure.