<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">

SUITE OF SERVICES services menu

Hamburger-menu.png
MobileSearchIcon.png
Brightline-BlogBanner.jpg

THE SCHELLMAN ADVANTAGE BLOG

< BACK TO BLOG HOME

ISO 27001 Certification and PCI DSS 2.0 - Significant Achievements for Amazon

Written by DOUGLAS BARBIN on Dec 15, 2010

Over the past several months have been two key announcements from Amazon. The first was that AMS achieved ISO 27001 certification. The second was that it had undergone PCI validation. Almost a month later these announcements continue to drive additional press including recent articles from InformationWeek and one from Redmond Magazine.

The FAQs on the Amazon cite reference ISO 27001 certification for Amazon’s security program while PCI validation specifically cites: Amazon Elastic Compute Cloud (EC2), the Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS), and the Amazon Virtual Private Cloud (VPC).

Late last year Amazon was criticized for announcing that it had undergone a Type 2 SAS 70 audit without specifying what the underlying control objectives were. While this is normal to an auditor who knows that SAS 70 reports are auditor to auditor communication, the security community wanted more specifics. While not going to the degree of disclosing all of the its security controls to the public, Amazon has taken steps to leapfrog many of its competitors with respect to independent audits and certifications.

Key points when considering Amazon’s recent announcements:

  • Like all audits and certifications, the PCI DSS and ISO 27001 certification have defined scope.
  • In the case of PCI, the report on compliance (ROC) should include an explicit scope statement which defines what controls AWS is responsible for versus its customers.
  • The ISO 27001 certification is not as prescriptive as some may expect. The certification focuses on the process of managing Amazon’s Information Security Management System (ISMS) and that it consider 133 controls that are listed in Appendix A of the ISO standard.
  • These 133 controls are aligned with the best practices laid out in the ISO 27002. Many do not understand that ISO 27002 is a code of practice or guideline and not something that an organization can be certified against.

Still, this is a very significant milestone for Amazon. If you look at the marketplace today, SAS 70 audits have become the price of entry. Most cloud providers that handle data that impact their customers’ financial statements undergo a SAS 70 audit. PCI was the next phase of adoption for providers wishing to service companies that handle cardholder data. AWS has achieved both of these as well as ISO 27001 certification, a distinction held by very few organizations within the US. In addition, they early adopted against the PCI DSS 2.0 standard which includes requirements to scope and assess any underlying virtualization technology that is in use.

Topics: Payment Card Industry (PCI) Data Security, ISO 27001 / 27002

DOUGLAS BARBIN

MEET THE WRITER

DOUGLAS BARBIN

PRINCIPAL AND SECURITY PRACTICE LEADER

Doug Barbin is a Principal at Schellman & Company, LLC. Doug leads all service delivery for the western US and is also oversees the firm-wide growth and execution for security assessment services including PCI, FedRAMP, and penetration testing. He has over 19 years of experience. A strong advocate for cloud computing assurance, Doug spends much of his time working with cloud computing companies has participated in various cloud working groups with the Cloud Security Alliance and PCI Security Standards Council among others.

COMMENTS