ISAE 3402, ISO 27001, GDPR, SAPHosting + HANAOperationPartner and CAIQ Compliant

The day I started preparing this blog post, WCry cryptoware had taken over hundreds of thousands of windows machines. Many companies had used the weekend to patch windows machines.

I caught up with Kjell Nagelhus, Basis Consulting’s ISO 27001 Lead Implementer, to try to understand the meaning of all the security and compliance work they have done in recent years.

Hello Kjell
What are you doing right now?
Right now I’m planning dates for the upcoming ISO 27001 certification.

Can you tell me what ISAE 3402 and ISO 27001 compliance are all about?
Well, it’s really a long answer. I’ll still try to make it short. ISAE 3402 is a standard that allows firms to issue a report that is used by the service providers’ customers and their auditors in financial audits. The ISAE 3402 report that Basis Consulting offers its clients, is a so-called Type II report. It contains a description of the organization’s IT controls (ITIL, operations, network and security), detailed testing of these controls over a period of one calendar year, and a statement by an external audit firm that carries out the test of these checks and issuing the report (with the result of the testing).

And what about ISO 27001?
ISO 27001 is an international standard that sets requirements for the establishment, implementation, maintenance and continuous improvement of a management system for information (Information Security Management System – ISMS). The control system includes a variety of activities for managing risks and thus protect your organization against security incidents that can have a negative impact on the quality of services we provide to our customers and our reputation as a service provider. ISO 27001 has a risk-based approach to information security that encompasses people, processes and technology.

What is the difference between ISAE 3402 and ISO 27001?
ISAE 3402 is primarily value for our customers and their auditors. It deals with the testing of the procedures, processes and controls that we have established for the operation and safety. ISO 27001 is an international standard which sets very high demands on the organization regarding information security and risk management. An ISO 27001 compliant / certified service provider is valuable for all customers who have requirements for how the vendor handles security risks and controls security incidents that can have a negative impact on the quality of services delivered and the information to be protected.

And what about CAIQ? Is this also a certification or is it something else?
Consensus Assessment Initiative Questionnaire (CAIQ) is a form from Cloud Security Alliance (CSA) that helps customers assess the security features of a cloud provider. The questionnaire contains about 300 key questions for how IaaS, PaaS, and SaaS providers handle security. Itis a “heavy” list and many of the improvement we’ve made in the operations center comes from the list.
Do you have an example?
Well, the last project we did was about “hardening”. To harden the operating system to limit vulnerabilities. This is old news, but normally processes of executing these tasks are handled in a spreadsheet to ensure that necessary operations  are performed. We have worked with a configuration tool to continuously have control over what is done and not. With approximately 1,000 virtual machines and just over 20 employees, it is important not to add manually tasks if we shall be competitive with suppliers operating from low-cost countries.

What about GDPR? Has it impacted Basis Consulting as hosting (cloud) provider?
GDPR’n does not give us any new security tasks. GDPR is mostly about privacy. The law has many pages and paragraphs, but with our procedures, we will be covered. We must ensure what we have of already-established routines and document it. Handling of personal data becomes a greater challenges for some of our clients than ourselves.

And last. What does SAP demand to certify Basis Consulting as SAP Provider of hosting services and SAP provider of SAP HANA operations?
Thanks for asking. We were a few weeks ago re-certified by SAP as SAP Provider of hosting services (Level: advanced) for the 5th time, and that SAP Provider of SAP HANA operations for the 2nd time. The SAP certification team comes to us here in Oslo every second year to revise us with re-certification. All the topics we are audited on has different requirements that must be satisfied in accordance with SAP’s certification requirements. Examples are; setting up infrastructure, backup / restore concept, security, config tools, monitoring, SAP expertise, project management, etc. We have high scores of all the requirements now that we have been through this process three times. Next certification will be in 2019.

About Basis Consulting
Basis Consulting is a SAP Certified Provider of Hosting Services and SAP HANA Operations Services. Our Data Center is specially designed for SAP and we keep the operation of SAP applications secure and simple for our Customers.