Operating in compliance with national and international information security and engineering standards
NetApp holds itself accountable to physical, logical, process, and management controls throughout its business, which is demonstrated by the certification of NetApp Information Security Management Systems to ISO/IEC 27001 by an independent auditor.
The International Organization for Standardization (ISO) is an independent nongovernmental organization whose members represent standards organizations from over 150 countries. The International Electrotechnical Commission (IEC) develops international standards for a wide range of electrical, electronic, and related technologies. The standards they develop are organized into various families. The ISO 27000 family—the industry shorthand for the ISO/IEC 27000 family, including the ISO/IEC 27001:2013 standard—outlines hundreds of controls and control mechanisms designed to address various aspects of the security of information assets.
ISO/IEC 27001: 2013 specifies an Information Security Management System (ISMS) framework, the current de facto international standard. It defines controls related to establishing, implementing, maintaining, and improving an organization’s system for managing information security. The basis of this certification is the development and implementation of a comprehensive security program. ISO 27001 also prescribes a set of practices that include requirements to thoroughly document the process along the way.
The organization determines the scope of the assessment for certification, and the certification process begins with a preliminary review of the ISMS. This is followed by a formal compliance audit in which the certifying auditor performs independent tests of the ISMS against ISO 27001 requirements to confirm that it has been correctly designed and implemented. The certifying body also conducts ongoing reviews to help ensure that the organization’s ISMS remains in compliance with the standard.
NetApp engages an accredited certification body, Schellman & Company, on an annual basis to certify ongoing ISMS conformance with the ISO 27001 standard. Schellman has verified that in-scope NetApp products and services meet the physical, logical, process, and management controls defined by ISO 27001.
ISO 27001 compliance helps NetApp maintain Information Security Management Systems that manage risk and meet information security objectives with policies, procedures, and controls that maintain the confidentiality, integrity, and availability of information; meet legal, regulatory, statutory, and contractual obligations; and protect NetApp’s brand.
The broad global acceptance of the ISO 27001 standard makes NetApp’s certification a reliable indicator of the state of its information security management for in-scope services. Achievement of ISO 27001 certification provides valuable evidence to customers and partners by demonstrating our clear commitment and ability to meet the stringent security requirements of highly regulated sectors such as finance and healthcare. ISO 27001 compliance also helps to ensure the security of NetApp’s supply chain through vendor management policies, procedures, and controls that protect our assets.
In the cloud, security assurance is achieved by customers who adopt a “trust but verify” relationship with their cloud service provider (CSP). Customer data and information are only as secure as the policies, procedures, and controls implemented by the CSP. ISO 27001 certification provides third-party certified assurance that CSP policies, procedures, and controls are adequately designed and implemented to protect the confidentiality, integrity, and availability of customer data and information. Customers operating in a multi-cloud environment who require ISO 27001 compliance need to work closely with all their providers to ensure applicable controls are implemented by the appropriate parties.
How NetApp manages the confidentiality, integrity, and availability of data in a cloud computing environment