annual reporting and was expanded to
Posted: Thu Dec 05, 2024 9:35 am
Table of contentsTabla de contenidos
What is ISO 27001?¿Qué es la norma ISO 27001?
What are ISO 27017 and 27018 standards?¿Qué son las normas ISO 27017 y 27018?
Kinsta ISO Certification TimelineCronología de la certificación ISO de Kinsta
The advantages of ISO 27001 certificationLas ventajas de la certificación ISO 27001
Download article as PDF
Kinsta has always worked to protect the security of our hosting platform and our clients’ websites. Whether it’s protecting account information, providing tools to prevent external DDoS attacks, detecting and cleaning malware, or alerting website owners about vulnerabilities in WordPress plugins, data security is one of our core strengths.
But hosting companies can easily make that claim . Proving it is a challenge.
The best way to test such claims is to develop information security practices and policies that meet widely recognized standards and then have compliance with those standards confirmed by independent experts.
This is how Kinsta achieved compliance with the System and Organization Controls 2 (SOC 2) trust services criteria developed by the Association of International Certified Professional Accountants (AICPA) for the first time in 2023.
Then, in August 2024, after completing a full year of SOC 2 oversight, we received certification to the data security and privacy controls specified by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC).
This article examines Kinsta’s ISO/IEC certification under ISO 27001 and two of its extensions, ISO 27017 and ISO 27018 .
What is ISO 27001?
Erik Van Dijk, IT Director at Kinsta, led the ISO 27001 certification efforts and declared the framework “the gold standard” in security compliance.
ISO 27001 specifies the controls necessary to protect the confidentiality, integrity and availability of information in an organization. Here's what it means:
Confidentiality — Ensuring that only authorized persons can access information.
Integrity — Ensure that only authorized individuals can modify information.
Availability — Ensure that authorized individuals can access information when they need it.
Van Dijk said ISO 27001 defines requirements for the various components of an Information Security Management System (ISMS). But that system is not just hardware and software. In addition to those technological controls , the ISMS includes organizational, physical and people-related controls:
Organizational controls — Define the standards to be followed and the behavior expected of users, equipment, software, and systems.
People-related controls — Providing knowledge, education, skills or experience to people in the organization so they can perform their jobs safely.
Physical controls — Items such as data center access cards, surveillance cameras, and intrusion detection sensors.
What are ISO 27017 and 27018 standards?
Van Dijk explained that ISO 27017 and 27018 are certifiable extensions of ISO 27001 and are especially important to Kinsta as they both apply to cloud computing environments.
ISO 27017 prescribes security controls and application guidelines for cloud computing environments. These controls apply to tasks such as:
Management of client assets after contract termination.
Separation of client virtual environments.
Client monitoring of activity in a cloud computing environment.
ISO 27018 focuses on the protection of personally identifiable information in cloud computing environments. These controls address issues such as:
Transparency in reporting the geographic location of customer data warehouses.
Restrictions on the use of customer data without consent.
Secure methods to return, transfer and securely delete personal information.
Kinsta ISO Certification Timeline
The year since achieving SOC 2 compliance has been a busy one for the security compliance team, especially for Van Dijk, who was simultaneously studying for and earning the Certified Information Systems Security Professional (CISSP) designation.
The initial SOC 2 designation in 2023 followed a three-month audit period and applied to the Security Critical Trust Service. That project evolved into ongoing monitoring with incorporate SOC 2 Availability and Confidentiality criteria.
In the meantime, our work on ISO 27001 was already underway. Van Dijk said that his extensive research into the requirements of ISO 27001 started around November 2023.
“ISO 27001 is very documentation and process-heavy,” he said. “It still contains a number of technical controls, but the whole premise of the framework is to implement an information security management system a benefits of using the cambodia phone number list nd its associated policies and procedures.”
Van Dijk said a gap analysis suggested the SOC 2 project had already done around 40% of the work that needed to be done for ISO certifications. So when a cross-company team met in December 2023, it was able to quickly start uploading status information to Vanta , the platform chosen to assist with evidence collection.
The team created 13 new ISMS policies and refined some existing policies developed for SOC 2. In March 2024, the team turned to cloud security firm Rhymetec for an internal audit that helped determine what work remained to be done.
BARR Advisory later provided the independent audit that verified Kinsta’s eligibility for ISO certifications.
“We received constant praise from our auditors for how organized and prepared we were,” Van Dijk said.
The advantages of ISO 27001 certification
Kinsta’s ISO 27001 certification (and SOC 2 compli
What is ISO 27001?¿Qué es la norma ISO 27001?
What are ISO 27017 and 27018 standards?¿Qué son las normas ISO 27017 y 27018?
Kinsta ISO Certification TimelineCronología de la certificación ISO de Kinsta
The advantages of ISO 27001 certificationLas ventajas de la certificación ISO 27001
Download article as PDF
Kinsta has always worked to protect the security of our hosting platform and our clients’ websites. Whether it’s protecting account information, providing tools to prevent external DDoS attacks, detecting and cleaning malware, or alerting website owners about vulnerabilities in WordPress plugins, data security is one of our core strengths.
But hosting companies can easily make that claim . Proving it is a challenge.
The best way to test such claims is to develop information security practices and policies that meet widely recognized standards and then have compliance with those standards confirmed by independent experts.
This is how Kinsta achieved compliance with the System and Organization Controls 2 (SOC 2) trust services criteria developed by the Association of International Certified Professional Accountants (AICPA) for the first time in 2023.
Then, in August 2024, after completing a full year of SOC 2 oversight, we received certification to the data security and privacy controls specified by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC).
This article examines Kinsta’s ISO/IEC certification under ISO 27001 and two of its extensions, ISO 27017 and ISO 27018 .
What is ISO 27001?
Erik Van Dijk, IT Director at Kinsta, led the ISO 27001 certification efforts and declared the framework “the gold standard” in security compliance.
ISO 27001 specifies the controls necessary to protect the confidentiality, integrity and availability of information in an organization. Here's what it means:
Confidentiality — Ensuring that only authorized persons can access information.
Integrity — Ensure that only authorized individuals can modify information.
Availability — Ensure that authorized individuals can access information when they need it.
Van Dijk said ISO 27001 defines requirements for the various components of an Information Security Management System (ISMS). But that system is not just hardware and software. In addition to those technological controls , the ISMS includes organizational, physical and people-related controls:
Organizational controls — Define the standards to be followed and the behavior expected of users, equipment, software, and systems.
People-related controls — Providing knowledge, education, skills or experience to people in the organization so they can perform their jobs safely.
Physical controls — Items such as data center access cards, surveillance cameras, and intrusion detection sensors.
What are ISO 27017 and 27018 standards?
Van Dijk explained that ISO 27017 and 27018 are certifiable extensions of ISO 27001 and are especially important to Kinsta as they both apply to cloud computing environments.
ISO 27017 prescribes security controls and application guidelines for cloud computing environments. These controls apply to tasks such as:
Management of client assets after contract termination.
Separation of client virtual environments.
Client monitoring of activity in a cloud computing environment.
ISO 27018 focuses on the protection of personally identifiable information in cloud computing environments. These controls address issues such as:
Transparency in reporting the geographic location of customer data warehouses.
Restrictions on the use of customer data without consent.
Secure methods to return, transfer and securely delete personal information.
Kinsta ISO Certification Timeline
The year since achieving SOC 2 compliance has been a busy one for the security compliance team, especially for Van Dijk, who was simultaneously studying for and earning the Certified Information Systems Security Professional (CISSP) designation.
The initial SOC 2 designation in 2023 followed a three-month audit period and applied to the Security Critical Trust Service. That project evolved into ongoing monitoring with incorporate SOC 2 Availability and Confidentiality criteria.
In the meantime, our work on ISO 27001 was already underway. Van Dijk said that his extensive research into the requirements of ISO 27001 started around November 2023.
“ISO 27001 is very documentation and process-heavy,” he said. “It still contains a number of technical controls, but the whole premise of the framework is to implement an information security management system a benefits of using the cambodia phone number list nd its associated policies and procedures.”
Van Dijk said a gap analysis suggested the SOC 2 project had already done around 40% of the work that needed to be done for ISO certifications. So when a cross-company team met in December 2023, it was able to quickly start uploading status information to Vanta , the platform chosen to assist with evidence collection.
The team created 13 new ISMS policies and refined some existing policies developed for SOC 2. In March 2024, the team turned to cloud security firm Rhymetec for an internal audit that helped determine what work remained to be done.
BARR Advisory later provided the independent audit that verified Kinsta’s eligibility for ISO certifications.
“We received constant praise from our auditors for how organized and prepared we were,” Van Dijk said.
The advantages of ISO 27001 certification
Kinsta’s ISO 27001 certification (and SOC 2 compli