Managed Security: Where ISO 27002 Fits In
While managed service providers may offer security as a customer offering, some service providers are looking inward when it comes to data protection. That’s the case for Workscape Inc., a provider of outsourced benefits administration and other human resources-related services. The Marlborough, Mass. company recently undertook a security assessment, tapping SystemExperts Corp., an IT security consulting firm, to perform the checkup. Here are some takeaways for readers.
Security often crops up as an issue in an outsourcing arrangement. Providing evidence of a clean security bill of health can help eliminate sales objections and boost an MSP’s standing.
“It is very important for us to let our clientele know that we take security extremely seriously around the organization and we are going to do anything we can do to safeguard their data,” said Gary Sherman, director of IT at Workscape.
Jonathan Gossels, SystemExperts’ president and CEO, noted that Workscape, in its SaaS approach, takes in a lot of confidential employee information in the course of doing business.
SystemExperts evaluated Workscape’s security stance using the ISO 27002 standard. The standard focuses on boosting information security management. It covers a dozen topics, including security policy, access control, physical security and incident management. Within those areas, an organization is measured against more than 130 security controls. Gossels called ISO 27002 the broadest way to determine an organization’s security status.
Workscape’s ISO 27002 assessment began with a study session. Here, SystemExperts provided a walk through of the standard and interpreted it in the context of Workscape’s business. The standard is written as a one-size-fits-all document, so the goal is to help the customer understand what it means to be compliant for them, Gossels said.
Next, comes a review that goes line-by-line through the standard. This assessment identifies areas for improvement. In Workscape’s case, Gossels said the company was mostly doing the right thing security wise. Most of his customer’s compliance issues had to do with documenting procedures and policies, he added.
Workscape now uses eRoom as an online sharing facility to house its ISO-related documentation as well as other security documents the company creates.
Following the review, the customer addresses deficiencies and schedules a compliance update meeting to discuss progress. The security consultant then tests again to determine compliance with the standard.
Workscape’s ISO 27002 compliance assessment took about 4 months.
“It’s a large time commitment and a large resource commitment,” Sherman said. “It is not something to take lightly.”
The commitment doesn’t necessarily end with the assessment. Gossels said a once-a-year recheck is in order to see if the customer remains in compliance. A significant change to infrastructure or operations can also trigger a re-assessment.
What do you get?
At the end of the process, SystemExperts delivers a formal report that grades the customer on its degree of compliance (SystemExperts describes Workscape as having a very high degree of ISO 27002 compliance). The company also provides a letter that Gossels likened to an accountant’s letter in an annual report. The letter includes a description of the compliance process, the scope of the analysis and what the organization accomplished.
Sherman said clients who see its ISO 27002 letter feel comfortable that the company is taking the right steps in security.
“It’s definitely a point of differentiation for us,” he said.
Contributing blogger John Moore covers Master MSPs and Web hosts, and has written about the IT channel for two decades. MSPmentor is updated multiple times daily. Don’t miss a single post. Subscribe to our Enewsletter, RSS, Webcast and Twitter feeds.