Blog by Aris Lambrianidis, Information Security Manager at AMS-IX
Last month, AMS-IX received ISO 27001:2013 certification which specifically deals with information security. This certification instantly makes it clear to everyone that AMS-IX has a well-rounded, highly systematic approach to information security. Internet Exchange Providers are not well understood; our methods of operation aren’t clear to everyone. That’s why it is important that we can demonstrate we’re taking all the right steps - especially because we’re classified as critical infrastructure. What’s more, we can also show that we are compliant with new and old EU regulations.
The entire process took almost two years. Together with all stakeholders, a wide variety of procedures were developed, refined and documented. Following this, a number of processes required by the standard were introduced, including risk assessments, internal auditing and management reviews. A number of critical controls have also been implemented, such as deployment of Endpoint Protection, centralized user identity management and two-factor authentication for crucial services. The finance department, NOC and Engineering already had very structured operational methodologies, which were a good starting point.
We were helped by the fact that a great deal of up-to-date documentation was readily available. ISO auditors don’t necessarily require inordinate amounts, the standard itself is pretty specific about this – but it’s smart to document most processes in detail for one’s own benefit! This also helps ensure everyone is on the same page and working with the same information, which is essential to obtaining certification. It was interesting to see that many of the required (technical) controls and policies were already in place for our core business, simply because staff had decided to implement them some time ago.
Of course, ISO certification isn’t a ‘one-off’, but a continual process, which requires ongoing awareness and vigilance. We will keep working hard in order to maintain our current security standards.