Sign in to my dashboard Create an account
blue gray background with white magnify glass

ISO/IEC 27001:2013 Information Security Management

March 2023

NetApp holds itself accountable to physical, logical, process, and management controls throughout its business, which is demonstrated by the certification of NetApp information security management systems to ISO/IEC 27001 by an independent auditor.

The International Organization for Standardization (ISO) is an independent non-governmental organization whose members represent standards organizations from over 150 countries. The International Electrotechnical Commission (IEC) develops international standards for a wide range of electrical, electronic, and related technologies. The standards they develop are organized into various families. The ISO 27000 family—the industry shorthand for the ISO/IEC 27000 family, including the ISO/IEC 27001:2013 standard—outlines hundreds of controls and control mechanisms designed to address various aspects of the security of information assets.

ISO/IEC 27001: 2013  specifies an Information Security Management System (ISMS) framework, the current de facto international standard. It defines controls related to establishing, implementing, maintaining, and improving an organization’s system for managing information security. The basis of this certification is the development and implementation of a comprehensive security program. ISO 27001 also prescribes a set of practices that include requirements to thoroughly document the process along the way.

The organization determines the scope of the assessment for certification, and the certification process begins with a preliminary review of the ISMS. This is followed by a formal compliance audit in which the certifying auditor performs independent tests of the ISMS against ISO 27001 requirements to confirm that it has been correctly designed and implemented. The certifying body also conducts ongoing reviews to help ensure that the organization’s ISMS remains in compliance with the standard.

NetApp and ISO/IEC 27001

NetApp engages an accredited certification body, Schellman & Company, on an annual basis to certify ongoing ISMS conformance with the ISO 27001 standard. Schellman has verified that in-scope NetApp products and services meet the physical, logical, process, and management controls defined by ISO 27001.

ISO 27001 compliance helps NetApp maintain an information security management system that manages risk and meets information security objectives with policies, procedures, and controls that maintain the confidentiality, integrity, and availability of information; helps meet legal, regulatory, statutory, and contractual obligations; and protects NetApp’s brand.

The broad global acceptance of the ISO 27001 standard makes NetApp’s certification a reliable indicator of the state of its information security management for in-scope services. Achievement of ISO 27001 certification provides valuable evidence to customers and partners by demonstrating our clear commitment and ability to meet the stringent security requirements of highly-regulated sectors such as finance and healthcare. ISO 27001 compliance also helps to assure the security of NetApp’s supply chain through vendor management policies, procedures, and controls that protect our assets.

NetApp in-scope products and services

  • Amazon FSx for NetApp ONTAP
  • Astra Control
  • Azure NetApp Files
  • BlueXP (formerly known as Cloud Manager Platform)—App Template, Backup for Kubernetes, Cloud Backup, Cloud Data Sense, Cloud Manager, Cloud Sync, and Cloud Tiering
  • CloudCheckr
  • Cloud Insights
  • Cloud Volumes Service for AWS
  • Cloud Volumes Service for Google Cloud
  • Corporate IT Systems
  • Instaclustr
  • NetApp Managed Services in India: Administer, Monitor, Operate, and Optimization of Data Fabric Solutions, along with Keystone solutions operation
  • SaaS Backup
  • Spot PC

Audits, reports, and certificates

These certificates and reports are stored in the NetApp Trust Center Library. Login is required.

These certificates are stored as indicated:
  • Amazon FSx for NetApp ONTAP
    Amazon Web Services (AWS) manages ISO 27001 compliance for Amazon FSx for NetApp ONTAP. For information, refer to AWS ISO and CSA STAR Certified.
  • Azure NetApp Files
    Microsoft manages ISO/IEC 27001 compliance for Azure NetApp Files. For information, refer to Microsoft Azure Compliance Offerings (pages 8 and 18).

Frequently asked questions

Why is ISO 27001 certification essential for a cloud computing environment?

In the cloud, security assurance is achieved by customers who adopt a “trust but verify” relationship with their cloud service provider (CSP). Customer data and information are only as secure as the policies, procedures, and controls implemented by the CSP. ISO 27001 certification provides certified assurance by a third party that CSP policies, procedures, and controls are adequately designed and implemented to protect the confidentiality, integrity, and availability of customer data and information. Customers operating in a multi-cloud environment who require ISO 27001 compliance need to work closely with all their providers to ensure applicable controls are implemented by the appropriate parties.

Back To Top

Next Steps

Drift chat loading