Menu

ISO/IEC 27001:2013 Information Security Management

blue gray background with white magnify glass

November 2021

NetApp holds itself accountable to physical, logical, process, and management controls throughout its business, which is demonstrated by the certification of NetApp information security management systems to ISO/IEC 27001 by an independent auditor.

The International Organization for Standardization (ISO) is an independent non-governmental organization whose members represent standards organizations from over 150 countries. The International Electrotechnical Commission (IEC) develops international standards for a wide range of electrical, electronic, and related technologies. The standards they develop are organized into various families. The ISO 27000 family—the industry shorthand for the ISO/IEC 27000 family, including the ISO/IEC 27001:2013 standard—outlines hundreds of controls and control mechanisms designed to address various aspects of the security of information assets.

ISO/IEC 27001: 2013  specifies an Information Security Management System (ISMS) framework, the current de facto international standard. It defines controls related to establishing, implementing, maintaining, and improving an organization’s system for managing information security. The basis of this certification is the development and implementation of a comprehensive security program. ISO 27001 also prescribes a set of practices that include requirements to thoroughly document the process along the way.

The organization determines the scope of the assessment for certification, and the certification process begins with a preliminary review of the ISMS. This is followed by a formal compliance audit in which the certifying auditor performs independent tests of the ISMS against ISO 27001 requirements to confirm that it has been correctly designed and implemented. The certifying body also conducts ongoing reviews to help ensure that the organization’s ISMS remains in compliance with the standard.

NetApp and ISO/IEC 27001

NetApp engages an accredited certification body, Schellman & Company, on an annual basis to certify ongoing ISMS conformance with the ISO 27001 standard. Schellman has verified that in-scope NetApp products and services meet the physical, logical, process, and management controls defined by ISO 27001.

ISO 27001 compliance helps NetApp maintain an information security management system that manages risk and meets information security objectives with policies, procedures, and controls that maintain the confidentiality, integrity, and availability of information; helps meet legal, regulatory, statutory, and contractual obligations; and protects NetApp’s brand.

The broad global acceptance of the ISO 27001 standard makes NetApp’s certification a reliable indicator of the state of its information security management for in-scope services. Achievement of ISO 27001 certification provides valuable evidence to customers and partners by demonstrating our clear commitment and ability to meet the stringent security requirements of highly-regulated sectors such as finance and healthcare. ISO 27001 compliance also helps to assure the security of NetApp’s supply chain through vendor management policies, procedures, and controls that protect our assets.

NetApp in-scope products and services

  • NetApp Cloud Services (Cloud Sync, Cloud Tiering, Cloud Manager, and Cloud Central)
  • NetApp Cloud Volumes Service for AWS
  • NetApp Cloud Volumes Service for Google Cloud
  • NetApp Corporate IT Systems
  • NetApp Managed Services in India: Monitor, Administer, Operate and Optimization of Data Fabric Solutions, along with Keystone solutions operation
  • NetApp SaaS Backup
  • Azure NetApp Files

Audits, reports, and certificates

These certificates and reports are stored in the NetApp Trust Center Library. Login is required.

Frequently asked questions

Why is ISO 27001 certification essential for a cloud computing environment?

In the cloud, security assurance is achieved by customers who adopt a “trust but verify” relationship with their cloud service provider (CSP). Customer data and information are only as secure as the policies, procedures, and controls implemented by the CSP. ISO 27001 certification provides certified assurance by a third party that CSP policies, procedures, and controls are adequately designed and implemented to protect the confidentiality, integrity, and availability of customer data and information. Customers operating in a multi-cloud environment who require ISO 27001 compliance need to work closely with all their providers to ensure applicable controls are implemented by the appropriate parties.

Back To Top

Next Steps