In a landscape characterised by intense competition, changing technology and fast-evolving business needs, the ability to demonstrate compliance is becoming an important tool for every organisation. Whether driven by industry regulation or customer demand, you will be called on at some point to demonstrate your compliance with a range of standards and certifications,
When your IT systems are hosted in a third-party datacentre, this raises crucial questions: how can you be certain that the datacentre complies with the standards you are being judged against, and how can you provide evidence that it does?
We take questions of datacentre compliance very seriously, as we know your business relies on us being able to answer them. Our datacentres are compliant with a range of recognised standards, and are designed from the ground up to ensure that your servers, and therefore your customers’ data, are physically secure. We take the approach that our colocation services, rather than being seen as a complication on your path to compliance, should be a key enabler to you achieving the compliance you and your customers require.
We feel that compliance should not be considered an unnecessary and irrelevant box-ticking burden. Security standards have been evolved to reflect real-world security concerns, and the controls you will be required to demonstrate compliance with are actually very good security practices that you should be looking to implement anyway. We take this practical approach to compliance: our primary purpose is to keep your systems and data secure. The audits we pass and certificates we hold are simply how we demonstrate to you that we can and will do this, to the highest possible standard.
Our datacentres offer a high level of physical security, with multiple levels of access controls, internal and external CCTV, steel perimeter fencing preventing access, and visitors escorted by our staff. Our ISO 27001 accreditation for IT security management covers all of our datacentres and we can meet your compliance requirements such as those needed for PCI-DSS.
Indeed, colocating your servers in one of our datacentres can bring you greater peace of mind than hosting them on your own premises, as we take on much of the burden of ensuring your servers are secure. Datacentres are our business, and our experience combined with the economies of scale we achieve from hosting multiple customers allows us to make sure our datacentre environment has a greater degree of security and compliance than many organisations could achieve on their own premises.
Partnering with us as your colocation or managed hosting provider means that you don’t have to keep up to date with the ever-changing landscape of multiple compliance requirements, you can leave it to our experts. Regulatory controls that would be burdensome for you to understand, implement, document, and demonstrate in an audit have already been implemented and documented in our datacentres, and we can provide the certificates to prove this to your auditors. Your IT professionals can be freed from the need to deal with compliance frameworks and threat landscapes and instead perform work that will directly benefit your business.
Standards our datacentres are certified against include:
- PCI-DSS SP 2.0 (Payment Card Industry Data Security Standard)
- ISO 27001:2013 (Information Security Management)
- ISO 9001 (Quality Management)
- ISO 14001 (Environmental Management)
- CSA STAR (Cloud Security Alliance Security, Trust and Assurance Registry)
- SSE Green Certificate (for purchasing 100% renewable energy)
These certifications, only awarded after rigorous independent audits, show our commitment to the highest levels of service and security. In a highly-regulated industry, you may need to show compliance with some or all of these standards yourself, and hosting your systems in a certified datacentre provides an essential confirmation of your commitment to security and compliance. But even where compliance is not an industry requirement for you, you still benefit from the peace of mind of knowing that we consistently give you the level of service and security that those certifications measure. The importance of compliance is not just to tick the box of an abstract regulatory requirement but to add real value to your business by guaranteeing a secure, reliable, consistent, and continually improving service.
The ISO approach to certification requires a continuous programme of audits to ensure continued compliance. The audit is structured around a defined global list of requirements and controls, which independent audits will confirm that we remain compliant with. Our certifications are valid for three years from the point they are awarded, but during that period a schedule of on-going audits is established in order that the management system is constantly reviewed using a sampling approach, and to ensure that a development and improvement cycle is undertaken.
The PCI-DSS standard specifies the minimum security processes to be applied in order to protect payment card data and transactions carried out using a payment card. We have been assessed against the PCI-DSS physical security requirements at our datacentres in Milton Keynes, South London, Maidenhead, South Yorkshire, Newcastle and Edinburgh Medway. The assessment is carried out by an external auditor, is valid for 12 months, and covers areas such as perimeter protection, CCTV, access control for staff and visitors. staff awareness and training and policies and record keeping.
If your IT systems handle payment card transactions you need to demonstrate, as part of your own PCI-DSS compliance requirements, that your systems are hosted in a facility that meets the physical security requirements of the standard, and are PCI-DSS “approved products”. Due to our PCI-DSS certification, our standard infrastructure components are considered approved. We can provide you with a Statement of Acknowledgement of Responsibilities, as required by the current PCI-DSS standard, that sets out which aspects of PCI-DSS compliance are our responsibility.
For further peace of mind we grant the right of audit to our customers, allowing you and your auditors to visit the datacentre and test the controls for yourself. Subject to agreement of suitable controls to protect our other customers, we will allow physical penetration testing of our facilities.
Contact us to find out more.