When selecting a data center partner, there are many critical things to evaluate. Security, availability, sustainability, and location are key considerations, but compliance typically intertwines with all these aspects. That said, verifying certifications and reports is at the forefront of determining the overall risk of your colocation partner.
To secure your mission critical infrastructure, you’ll need a colocation partner with a wide-ranging, comprehensive compliance program that aims to constantly improve.
So, what sets a compliance program apart? Ideally, one of the best ways to evaluate compliance is to review a data center’s certifications and third-party reports, in addition to asking questions about the future of the program.
Why are information security audits so important?
A colocation provider mitigates risk through employing physical and environmental controls from an operational and security standpoint. These controls usually derive from popular risk management and information security standards such as ISO 27001, COBIT, or NIST.
Ensuring proper redundancy, maintenance, and operation of critical infrastructure, along with upkeep and continual improvement of an information security program, are large components of a comprehensive compliance program. However, these controls are only meaningful externally when validated by an objective, independent, third party audit firm.
In addition to controls being in place, proper leadership buy-in is critical in a well-operated Compliance and Risk program.
To attain the certifications and reports that demonstrate enterprise risk management, areas such as management participation, awareness, and constant evolution are what separates an efficient program from one that is not well established or mature.
That, in turn, benefits customers by giving reassurance that all levels of the organization are involved with availability and security of information assets.
What certifications are needed?
Your colocation provider should have industry standard compliance practices in place at a minimum, starting with a SOC 2 report and ISO27001 implemented.
These two demonstrations of compliance can provide the customer and even their customers the message that a proper Information Security Management System is in place, and that technical audits occur regularly.
Depending on your industry, you may also require regulatory frameworks outside of SOC and ISO. Choosing a colocation partner with a comprehensive compliance program ensures you have the certifications your industry requires.
What sets our compliance program apart?
At Iron Mountain Data Centers, we are proud to have the most comprehensive compliance program in the industry. We take a well-rounded approach to compliance, and cater to every need of the customer, whether that’s information security, energy, environmental or health and safety compliance.
We understand that while the data center industry is still young, the rapid pace of requirements from a diverse range of customers has evolved greatly. To demonstrate this, we leave no stone unturned when it comes to meeting customer needs.
Enterprise-wide compliance: Breadth and depth
We provide an enterprise-wide, consistent approach to all types of regulatory and standards compliance. If we have a certification or report at one facility, you can rest assured that it is in place across our portfolio or across a given region.
We offer consistent reporting and rigorous auditing across the enterprise to mitigate risk and maximize streamlining the customer audit process.
Ultimately, this makes it easier for our customers when they are interested in a particular market. They know exactly what they can expect at each of our data centers, no matter what their requirements and initiatives are.
Going above and beyond
In addition to certifications that are popular in the industry, we go above and beyond to align with standards and reports that ensure the highest federal security standards possible and reinforce our commitment to continual improvement and sustainability with energy efficiency and environmental efforts.
No other data center provider in the industry can show and talk through the third-party audit reports, certifications, or rigor behind their sustainability and energy management programs that we can, from an enterprise perspective.
What sets us apart is that we respect and comply with local nuances, and offer a consistent product, tailored to local requirements in each geography.
What is NIST 800-53 and why is it important?
NIST Special Publication 800-53 is a robust set of security and privacy controls for all US federal information systems, and largely, those of US Federal subcontractors.
At Iron Mountain Data Centers in the United States, one of our key hallmarks is that we have the NIST 800-53 attestation and report across the board at all facilities. This means we offer customers from the federal sector and their subcontractors the same level of support and compliance at every US location.
Having the NIST 800-53 report and attestation in place at all sites enables our customers to inherit FISMA HIGH data center controls, and complete FedRAMP assessments in a streamlined manner.
When a customer needs support from IMDC in their assessment, we’re able to show full compliance with physical and environmental controls that map to the FISMA HIGH baseline.
Our state-of-the-art physical security standards and processes allow full compliance with even the most stringent government requirements, such as the new Department of Defense Cybersecurity Maturity Model Certification.
Mapping our control set to the applicable CMMC controls will clarify alignment when our customers need help during the last mile of their CMMC assessments.
All in all, it gives our customers an ease of use when it comes to auditing compliance and their own internal, and third-party assessments for showing maturity within the five levels of the CMMC.
ISO 50001 and ISO 14001
We're excited to announce that we are now the first and only data center services provider in the industry to have an enterprise-wide certified ISO 14001 and 50001 environmental and energy management system, further strengthening our commitment to energy efficiency and overall environmental management.
For these certifications, an independent third-party assessor audits our entire global portfolio against the ISO 50001 and ISO 14001 international standards. These are frameworks that many organizations are using to align with as they begin their environmental initiatives, but are time consuming to implement for full certification.
Over time, we’ve employed many practices that make a noticeable difference in better preparing for environmental risks and increasing energy management. These practices are refined, and audit ready so we can demonstrate our commitment to the planet.
This takes our program to a different level of continuous improvement. It enables us and commits our teams to employ specific environmental practices every year, improving our posture from an environmental and energy standpoint.
ISO 14001 and ISO 50001 certification hinges on the program being maintained properly with constant improvement and leadership involvement.
Why are 50001 and ISO 14001 important?
Having a sustainability plan and roadmap in place is an incredibly important aspect now, more than ever, due to the increasing climate change and environmental impact risk of the technology industry.
As advancement and innovation drives growth of software and services, the parallel demand for hardware and space to host is natural. With that said, our customers and their customers have initiatives of their own around sustainability and environmental stewardship.
More often than ever, customers of all industries and sizes are inquiring about sustainability, and it is our goal to help them as partners in the journey. We aim to do the same in aligning with others’ goals and objectives and show this through rigorous third-party audits.
It’s important to note that sustainability itself may often be overshadowed by an abundance of statements and press releases, but in reality, it’s about making a material difference that can be validated by outside parties.
Our approach is more focused on providing external opinions on our work through assessments, that way, all the qualitative and quantitative data we provide to customers has integrity and full transparency.
ISO 45001: Health and safety management
Iron Mountain Data Centers is setting the trend in data center workplace safety through our certification and alignment with ISO 45001, a certified health and safety management system.
ISO 45001 provides a single, clear framework for all organizations wishing to improve their OH&S performance. The goal of ISO 45001 is the reduction of occupational risk and hazards, including promoting and protecting physical and mental health.
Taking care of our employees and everyone at our facilities is a top priority. Certifying against the ISO 45001 health and safety management system standard ensures that we're going above and beyond health and safety best practices, local law and regulation, and implementing a system that reduces overall risks and eliminates hazards and reduces incidents onsite.
Certifying against the framework is important because we are demonstrating going above and beyond the best practices and local regulation, taking a holistic approach to planning work, organizing activities, and ensuring that adequate risk consideration is a part of our daily site operations.
Looking to the future
At Iron Mountain Data Centers, we are incredibly proud of our compliance program and the teams that support it. Every single one of our employees plays a vital part in what we offer, and that means we can deliver optimal continual improvement to our customers.
The foundation that we have built sets the standard for what we will do in the future. We continue to look ahead, keeping our ear to the industry and listening to our customers.
We are committed to implementing programs that offer scale, not only with ourselves, but our customers, giving them what they need for the future.
More from Iron Mountain Data Centers
As the cloud sector matures on both user and provider sides, the definition of trust is becoming more complex and demanding, making partnerships and infrastructure providers increasingly critical
Sponsored Enabling the Edge
Nurturing the data center ecosystem for optimized Edge connectivity
In this DCD>Talk with Mark Kidd, EVP and general manager of data centers for Iron Mountain, we talk about the company's journey, from its beginnings, to hyperscale and beyond