Custodian achieved ISO27001 accreditation in July 2011.

The certification underlines Custodian’s commitment to preserving the confidentiality, integrity, and availability of all the physical and electronic information assets managed by the business. The Custodian Security Management System and processes covered by the ISO 27001 certification are based on a detailed risk management analysis of the company’s entire data centre network.

ISO27001 is one of the most rigorous international standards for system and physical security processes and effectively replaces BS7799-2, the original British Standards Institute standard. The audit and certification process focuses on every aspect of the business, including physical infrastructure, site security and access management, personnel capabilities, communications and operations, legal compliance criteria, and back-up and disaster recovery systems.

OUR INFORMATION SECURITY POLICY:

Custodian DataCentre is a leading independent provider of colocation, managed data centre, hosting and connectivity services in the UK. Custodian DataCentre specialises in the design, build, and management of business-critical hosting & environmentally sensitive locations, helping companies reduce the cost, complexity and security risks associated with maintaining mission critical and online environments. Custodian DataCentre services are underpinned by a resilient infrastructure, which includes multiple high-tech data centre Points-Of-Presence across the UK. Objectives Custodian’s objective for managing information security is to ensure business continuity and minimise business damage, by preventing and minimising the impact of security incidents. In deploying the Custodian DataCentre Information Security Management System (ISMS), the Management Team aim to maintain existing known risks at their current low level and ensure that new and changing risks are managed in an equally consistent and professional manner. Purpose The purpose of this Policy is to protect both Custodian DataCentre and its Customer’s Assets from all threats, whether internal or external, deliberate or accidental. Protection of information is set out in terms of:

• Confidentiality: ensuring only persons who are authorised have access to information.
• Integrity: ensuring the validity, accuracy and completeness of information.
• Availability: ensuring information, associated assets, and systems can be accessed when required by authorised persons.
• Regulatory: regarding regulations, laws and codes of practice in each country where it operates as a minimum standard in its Information security management standard.

In particular Custodian DataCentre will:

• Ensure that Custodian DataCentre management and employees comply with the requirements of the security policy.
• Minimise the risk of damage to company assets, information, reputation, hardware, software or data.
• Ensure that Custodian DataCentre employees and computer systems do not infringe any copyright, or licensing laws.
• Set out clearly the company’s policies relating to all aspects of the management of information, hardware, firmware and software.
• Define a systematic approach to risk assessment by identifying a method that is suited to the ISMS, the identified business information security, legal and regulatory requirements.
• Setting policy and objectives for the ISMS to reduce risks to acceptable levels. Determining criteria for
• accepting the risks and identify the acceptable levels of risk

All managers are directly responsible for implementing the Security Policy within their business areas, and for adherence by their staff. It is the responsibility of each member of staff to adhere to the Security Policy. Failure to do so may result in disciplinary action. The full policy is comprised of a series of policies which include the following. Personnel are required to sign for these policies to confirm their acceptance of these. These are displayed where relevant and are within the policy booklet:-

• Information Security Awareness and Education Policy P8.2
• Information, communications and technology acceptable usage of asset P11.3
• Media Handling P10.7
• Change Management P10.1.2
• Incident management – corrective actions P13
• Business continuity – see overall Business continuity plan
• Service provision P9.2.2
• Compliance with legislative, regulatory and contractual requirements P15
• Physical and logical access P11.1.1
• Network control P11.4
• Application and information access control policy P11.6
• Mobile computing and teleworking policy P11.7
• Monitoring policy P10.10
• Information systems acquisition, development and maintenance policy P12
• Physical and Environmental Security policy P9

Key Facts

“We did not use a consultancy to achieve ISO27001 (which can be a templated box ticking exercise) but our own people. This allowed us to involve everyone & to make the ethos of ISO27001 central to the operation of our organisation.”