When choosing a hosting provider, it is crucial that you look for compliance certification. However, there are so many different compliance standards out there today that it can be hard to determine which credentials carry the most weight. Actually, it’s not as difficult as it might seem. The real trick is to know which set of standards applies to you, the business, rather than the host. Here’s a quick breakdown and comparison between three of the most frequently confused standards certifications today.
Once upon a time, back in the 1990s, SAS 70 was the golden rule for hosting providers (and for many others). That’s no longer the case. This is an old set of standards that is not up to snuff when it comes to protecting data in today’s vastly more sophisticated and dangerous world. Just as threats to information security have evolved over time, so have the standards to which hosting providers (and businesses dealing with sensitive information) must adhere.
SAS 70 is an older type of certification that is issued by the American Institute of Certified Public Accountants. Yes, you read that correctly. Moreover, only a licensed CPA can issue SAS 70 certification. What do accountants know about information security? Sadly, the answer is “not much”. With that being said, it is still a very frequently used certification in the United States, but it should never, ever be taken as proof that the host (or your business) is in compliance with other standards, such as HIPAA or PCI-DSS. Note that with SAS 70 auditing, which is necessary for certification, the hosting company chooses what they want to be audited on, and other areas are ignored.
Finally, understand that SAS 70 has largely been phased out by and replaced with SSAE 16 (Statement on Standards for Attestation Engagements). SSAE 16 actually has many more similarities to ISO 27001 than does SAS 70, although this list of standards is not identical.
ISO 27001 is perhaps the most globally accepted set of standards when it comes to general information security. Note that it does not apply to health care organizations or their business associates that deal with sensitive patient data (not in the US, at least). So, while ISO 27001 compliance is definitely a sign that a hosting provider does a good job of protecting information in general, it is not a substitute for HIPAA compliance or PCI compliance. For health care organizations or any other business that deals with sensitive patient data, ISO 27001 compliance alone is not enough.
With that being said, ISO 27001 shares quite a few similarities with HIPAA and even with PCI-DSS (but not really with SAS 70 to any great degree). That means it can dovetail with other certification types, and is often necessary to protect non-patient data within your organization. To be clear, this is only one part that’s needed. 27001 is the set of standards, but 27002 is the set of best practices that actually tells an organization how to become compliant with those standards.
PCI-DSS is a set of stands developed by the payment card industry, and applies to any organization that works with cardholder data in any way, shape or form. Like HIPAA, it is a mandatory credential, and if you intend to handle, store, assess, analyze or transmit cardholder data from your website or business via electronic means, then your hosting provider absolutely must be PCI compliant.
Note that you, the merchant, are responsible for ensuring PCI compliance on your part. However, there are some requirements of the hosting provider, as well that pertain to the server environment. Other than the server hardware and specific onsite responsibilities for the hosting provider, you are responsible for making sure that all software used (from your website framework to your shopping cart and even the means of file transmission used) is compliant with PCI-DSS requirements.
When considering a hosting provider, whether you’re interested in cloud hosting, dedicated hosting, colocation or some other version, it is crucial that you ensure the host (and your own business) complies with the right set of standards. SAS 70 is dead. This certification should carry little to no weight and should not influence your decision in providers. It’s much more important to make sure that the provider is PCI compliant if you work with cardholder information, as well as ensuring that you make informed choices when it comes to your software choices and IT infrastructure.
ISO 27001 certification is also an important element, and can dovetail with PCI certification to show that a hosting provider offers robust protection for all aspects of your business’ data, from payroll and business-critical data to cardholder information, customers’ personal information and everything in between. SSAE 16 is also more important than SAS 70, as it reflects a more up to date set of standards. However, even SSAE 16 is not a replacement for PCI compliance.
Not covered here is HIPAA compliance. This only applies to health care organizations and their business associates that deal with patient information in some way. It differs significantly from both ISO 27001 and PCI-DSS, but if your organization fits the bill, this certification should also be considered when comparing hosting providers.
As you can see, each set of standards and each certification is different, and they don’t apply to all businesses across the board. It’s crucial that you do your due diligence when choosing a hosting provider and opt for a company that can prove compliance with the set of standards (or sets, in some cases) that applies to you. Remember that your choice of hosting company will have an impact on your own compliance and certification, so choose your provider with care and understand the different requirements and focus areas of PCI, ISO 27001 and SAS 70.