Last year, Cisco announced that it received ISO 27001 certification for its collaboration solution, Cisco Spark. With so many industry acronyms and standards being bandied around, you may have overlooked this announcement, but it’s actually a big deal for Ingram Micro Cisco partners.
What is ISO 27001?
ISO 27001 is the best-known standard in the family of ISMS (information security management system) specifications created by the International Organization of Standardization (i.e., ISO). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. According to ISO, the 27001 certification specification was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an ISMS.”
The certification takes a risk-based approach, and it defines a six-part planning process:
- Define a security policy.
- Define the scope of the ISMS.
- Conduct a risk assessment.
- Manage identified risks.
- Select control objectives and controls to be implemented.
- Prepare a statement of applicability.
In addition to merely defining a long list of operational requirements that a service needs to meet, ISO 27001 requires applicants to document how their service is meeting the requirements and then prove that it keeps on meeting them. It covers everything from incident management to inventory control to access controls, vulnerability scanning and even personnel management.
Don’t be fooled by misleading claims
When looking at software vendor certification claims, it’s vital to understand what exactly the vendor says is certified. For example, it’s common for vendors to make claims that their software “runs on ISO 27001-certified data centers.” While it may be a truthful statement, it doesn't tell you anything about their software. If their application doesn’t also have the certification, there’s no guarantee it includes the same level of security protection that the data center has.
What matters behind the scenes
Cisco Spark provides open collaboration for users while maintaining the highest levels of security. With Cisco Spark, your customers’ data—all content, messages, files and whiteboard drawings—is private. The software features always-on, end-to-end encryption and options to manage encryption keys on the servers.
When a Spark user performs searches, matches are retrieved and sent to the user’s device before being decrypted. Plus, only successfully authenticated users can view messages and files in Cisco Spark spaces.
Cisco Spark also supports integrations with existing identity management software, and it gives partners the ability to customize application and device security controls, including idle timeout for web clients, device PIN enforcement and remote wipe of Cisco Spark content cached on mobile devices.
Spark administrators can define compliance settings for data retention, search and extract reports and integrate with existing compliance software. Additionally, Spark offers:
- Flexible retention. Spark content can be stored indefinitely until a user deletes it or per administrator-defined retention policies.
- E-discovery. To meet legal and regulatory needs, compliance administrators can search and extract content, including all activities, text messages, content and contextual data such as timestamps, space IDs and participant IDs.
- Data loss prevention. Use the Cisco Spark Events API (application program interface) to poll for events and content so that you can monitor and correct user behavior. Integrate the events API with your cloud-access security broker (CASB), data loss prevention system (DLP), archival platform or e-discovery software to check for policy violations and to take remediation action.
- Archiving. The Cisco Spark Events API enables polling for events to archive the content in an archival application.
A final point about the certification is that it's not just for Cisco Spark; it also covers Cisco WebEx. These services share infrastructure, and through a Cisco Flex Plan subscription, they can be sold together. When you combine Cisco Spark’s ISO 27001 certification with its other security features, it’s another reminder that Cisco takes data security seriously.