At ThousandEyes, we hold several information security certifications and audit reports. Information security professionals will understand and likely appreciate the significance of our efforts; however, those not specialized in this field might find them less clear. As such, we present this article to inform anyone interested in these certifications of their implications, regardless of their background.
ISO 27001
The ISO 27001 standard is the information security framework that lays out requirements for establishing, implementing, maintaining, and continually improving an organization’s information security program. In ISO terms, it is called the Information Security Management System (ISMS). If you are not an ISO expert, just remember that ISMS means an information security program. This certification was the first globally acknowledged one for an organization’s information security program, and many still consider it the best today.
Getting certified is not easy, and the organization must demonstrate that it has effectively implemented an adequate information security program. To begin the process of becoming certified, third-party auditors look at the framework for the organization’s information security program for things like:
- Context of the organization
- Leadership
- Planning
- Support
- Operation
- Performance evaluation
- Plans for Improvement
The next thing the third-party auditors look at is how the information security program is implemented compared to the standard’s list of controls in ISO 27001 Annex A. The “Annex A controls” are complemented by ISO 27002, which provides guidance for the typical information security control objectives and the information security controls implemented to meet those objectives. The information security control areas are:
- Information security policies
- Organization of information security
- Human resources security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- Systems acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Compliance
One nice thing about ISO standards is that the standards are updated from time to time to ensure that they remain relevant in an ever changing world. So even though the standard first started when mainframe computers were all the rage, it remains relevant in today’s cloud-focused world.
One positive trait in particular to the ISO 27001 framework for a security program is that it is adjustable and able to cover additional areas within Information Security that may be relevant to an organization. We will cover the ones ThousandEyes has found relevant in the following paragraphs.
ISO 27017
The ISO 27017 standard is the code of practice for information security cloud services. Since ThousandEyes is hosted in AWS, we pursued this extension to the ISO 27001 standard to give customers added assurance that the ISO 27001 Annex A controls are sufficient for the ThousandEyes application. This standard also reassures that the additional cloud security controls and implementation guidance specified in this standard have been implemented appropriately to cover the following areas:
- Relationship between cloud service customer and cloud service provider
- Removal of cloud service customer assets
- Segregation in virtual computing environments
- Virtual machine hardening
- Administrator's operational security
- Monitoring of Cloud Services
- Alignment of security management for virtual and physical networks
ISO 27018
The ISO 27018 standard is the code of practice for the protection of personally identifiable information (PII) within public clouds. ThousandEyes pursued this extension to the ISO 27001 standard to assure customers that the ISO 27001 Annex A controls are appropriate for processing their personal data in the AWS environment and that ThousandEyes has implemented them in our product. In turn, this standard gives the extra assurance that the additional cloud privacy controls and guidance specified in this standard have been implemented appropriately to cover the following areas:
- Consent and choice
- Purpose, legitimacy and specification
- Data minimization
- Use, retention and disclosure limitation
- Openness, transparency and notice
- Accountability
- Information security
- Privacy compliance
ISO 27701
This brings us to our next ISO certification, which is also related to privacy. The ISO 27701 certification extends the entire information security program from ISO 27001 to cover privacy with additional privacy requirements and guidelines. In ISO language, that means extending the ISMS to create a Privacy Information Management System (PIMS). To reiterate, for readers who may not be ISO experts, just remember that PIMS = Privacy Program. By implementing the guidelines for managing privacy in 27701, ThousandEyes has complemented our existing information security program with a privacy program. The ISO 27701 standard provides specific guidance on extending the ISO 27001 Annex A controls to account for privacy considerations. Since you can’t have privacy without security, this is a natural extension.
In addition to the privacy requirements for the ISO 27001 Annex A controls, the ISO 27701 standard has additional requirements depending on whether the organization wants to get certified as a processor, controller, or both. Since ThousandEyes provides a SaaS solution to its customers, we are certified to the processor requirements. These requirements cover:
- Conditions for collection and processing
- Obligations to PII principals
- PII sharing, transfer, and disclosure
These requirements go further than the ones listed for ISO 27018 and essentially overlap ISO 27018 requirements. While ISO 27018 ensures privacy controls are considered for implementation within a cloud environment, ISO 27701 requires a comprehensive privacy program. Since all of the ISO certifications described above are related extensions of the ISO 27001 standard, there is only one certificate issued which lists compliance with all of the ISO 27 Another common type of security credential that ThousandEyes has obtained is a Service Organization Controls (SOC) 2 report. The American Institute of Certified Public Accountants (AICPA) defines this report’s requirements. You might be wondering why accountants would know or care about information security. As part of their effort to perform accounting for their clients, accounting firms wanted to ensure that the data they got from third-party service organizations were trustworthy (think of a payroll provider like ADP). These third-party organizations did not want to go through the effort of being reviewed by each of their clients, so these types of reports were created so that the service organization could be audited once by a third party and customers and financial auditors could be provided the same reassurance that the proper controls were in place to ensure the data this service organization provided was trustworthy. Although there are different types of SOC reports tailored to specific needs, they all aim to provide assurance that the information the service organizations provide can be relied upon because third-party auditors have verified the controls in place to ensure that information security controls are operating effectively. Since a large amount of the controls in the digital age relate to security controls over information, the AICPA developed the standard for auditors to test these controls and determine if they were effective. As previously mentioned, there are different types of SOC reports, and ThousandEyes has an SOC2 Type 2 report. This designation means that the auditors have verified the ThousandEyes systems design complies with the security trust principles and that the controls in this design have been effective over a period of time. SOC 2 relates to the security of an organization and involves checking compliance with its Security Trust Service Criteria, which cover the following areas: One significant difference betweenSOC 2 and ISO certifications that customers appreciate is the availability of a full report that can be distributed to customers under a Non Disclosure Agreement (NDA). This report is full of interesting information, including: To see the ThousandEyes SOC 2 report, you will need to log into the Cisco Trust Portal and submit an NDA. Then, you can access the SOC 2 report directly or as part of the ThousandEyes Trust Package. The EU Cloud Code of Conduct (CoC) is another privacy certification that helps demonstrate our commitment to meeting the requirements of the European Union’s General Data Protection Regulation (GDPR) in our cloud application. The GDPR is considered by many to be the global standard for privacy law, so demonstrating our privacy program meets the requirements of this Code of Conduct should give organizations comfort that our privacy program is a mature and effective set of controls and processes to meet privacy requirements. There are different levels of compliance for this code of conduct, and ThousandEyes has been certified to the highest level, Level 3. Level 3 compliance means that our program has been thoroughly evaluated by a third party to ensure the privacy controls and processes of our ISO 27701 privacy program are further scrutinized to ensure they are working as expected. Click here to see Cisco listed as a Level 3 adherent for the ThousandEyes cloud service. The ISO 22301 standard defines the requirements for implementing, maintaining, and improving a Business Continuity Program. The ISO 22301 certification also tested our adherence to guidance in the areas of: You can find a white paper overview of the business continuity program and framework at Cisco’sTrust Center portal. There, you can also see additional information about ThousandEyes’ integration into the program in the ThousandEyes BC/DR Summary Document. And last but not least the Cisco Trust Portal has a copy of the ThousandEyes ISO 22301 certification. Our EU Privacy Shield certification is related to, you guessed it, privacy! The Privacy Shield Framework was designed by the United States (US) government to provide a legal mechanism to transfer data that includes Personally Identifiable Information (PII) from the European Union (EU) to the US in a manner that would protect the privacy of that PII data. The Privacy Shield framework replaced the EU Safe Harbor program, which the EU ruled was inadequate to protect EU citizen privacy. The Privacy Shield Framework introduced a set of privacy processes and control requirements for companies that wanted to be covered by it. The certification process does not require a third party to validate that those requirements are met. Instead, it relies on the organization to verify adherence and make a public commitment to meet the requirements. That sounds kind of weak, huh? Well, the Privacy Shield Framework does make that commitment enforceable by United States law, which gives it some teeth. In 2020, additional rulings by the EU Court of Justice said that the Privacy Shield Framework is also inadequate. So you might wonder why ThousandEyes is still bothering with this certification. Well, there are a couple of reasons. First, President Biden signed an Executive Order in 2022 that enhances the Privacy Shield Framework.By doing so, the Privacy Shield Framework has once again become “adequate” enough to serve as a legal mechanism for the transfer of PII from the EU to the US. This will comfort lawyers on both sides of the Atlantic, both from Cisco and our customers. Next, withdrawing from the Privacy Shield Framework entails a whole process to verify that EU PII data transferred under the Privacy Shield Framework is either properly deleted or retained in a manner consistent with the frameworks requirements. This process is a lot of work that has been rendered unnecessary since the Privacy Shield Framework has been ruled adequate. Finally, ThousandEyes is confident in its privacy program, and our ISO 27018, ISO 27701, and EU Cloud Code of Conduct validate that confidence. Therefore, why not continue to publicly commit to meeting the Privacy Shield Framework requirements? To see our Privacy Shield Certificate go to the Cisco EU Privacy Shield and you will see it listed under “Other Covered Entities”. The Cloud Security Alliance (CSA) is dedicated to defining best practices for securing cloud environments. CSA has created a certification called the Security, Trust and Assurance Registry (STAR) certification. The STAR Registry is a publicly accessible registry that documents the security and privacy controls put in place by popular cloud computing offerings, including ThousandEyes. There are different levels of certification available and ThousandEyes is certified to Level One. A tangible output of the STAR certification for an applicable product or service that utilizes the Cloud Controls Matrix (CCM) framework is a completed Consensus Assessment Initiative Questionnaire (CAIQ), which is the yes or no response to questions about how ThousandEyes has implemented information security according to the CCM. Here is the CAIQ for ThousandEyes, which covers the 16 security domains of the CCM: ThousandEyes has further demonstrated a higher maturity level for meeting CSA security requirements by enrolling in the CSA Trusted Provider program. This means that we have:SOC 2
EU Cloud Code of Conduct
ISO 22301
EU Privacy Shield
CSA STAR
CSA Trusted Provider
If you have questions regarding our Information Security, Resiliency, or Privacy programs, please get in touch with us at security@thousandeyes.com.