September 2024
NetApp holds itself accountable to physical, logical, process, and management controls throughout its business, which is demonstrated by the certification of NetApp information security management systems to ISO/IEC 27001 by an independent auditor.
The International Organization for Standardization (ISO) is an independent non-governmental organization whose members represent standards organizations from over 150 countries. The International Electrotechnical Commission (IEC) develops international standards for a wide range of electrical, electronic, and related technologies. The standards they develop are organized into various families. The ISO 27000 family—industry shorthand for the ISO/IEC 27000 family, including the ISO/IEC 27001:2013 standard—outlines hundreds of controls and control mechanisms designed to address various aspects of the security of information assets.
ISO/IEC 27001: 2013 specifies an Information Security Management System (ISMS) framework, the current de facto international standard. It defines controls related to establishing, implementing, maintaining, and improving an organization’s system for managing information security. The basis of this certification is the development and implementation of a comprehensive security program. ISO/IEC 27001 also prescribes a set of practices that include requirements to thoroughly document the process along the way.
The organization determines the scope of the assessment for certification, and the certification process begins with a preliminary review of the ISMS. This is followed by a formal compliance audit in which the certifying auditor performs independent tests of the ISMS against ISO/IEC 27001 requirements to confirm that it has been correctly designed and implemented. The certifying body also conducts ongoing reviews to help ensure that the organization’s ISMS remains in compliance with the standard.
NetApp engages an accredited certification body, Schellman & Company, on an annual basis to certify ongoing ISMS conformance with the ISO/IEC 27001 standard. Schellman has verified that in-scope NetApp products and services meet the physical, logical, process, and management controls defined by ISO/IEC 27001.
ISO 27001/IEC compliance helps NetApp maintain an ISMS that manages risk and meets information security objectives with policies, procedures, and controls that maintain the confidentiality, integrity, and availability of information. It also helps meet legal, regulatory, statutory, and contractual obligations, and protects NetApp’s brand.
Achievement of ISO/IEC 27001 certification provides valuable evidence to customers and partners by demonstrating our clear commitment and ability to meet the stringent security requirements of highly regulated sectors such as finance and healthcare. ISO/IEC 27001 compliance also helps to assure the security of NetApp’s supply chain through vendor management policies, procedures, and controls that protect our assets.
Login is required to access the ISO/IEC 27001 certificates for the products and services listed above.
In the cloud, security assurance is achieved by customers who adopt a “trust but verify” relationship with their cloud service provider (CSP). Customer data and information are only as secure as the policies, procedures, and controls implemented by the CSP. ISO/IEC 27001 certification provides certified assurance by a third party that CSP policies, procedures, and controls are adequately designed and implemented to protect the confidentiality, integrity, and availability of customer data and information. Customers operating in a multi-cloud environment who require ISO/IEC 27001 compliance need to work closely with their providers to ensure that all applicable controls are implemented appropriately.
