"ISO 27001 is one of the most widely recognized, internationally accepted independent security standards and we have earned it for the systems, technology, processes and data centers serving Google Apps for Business," shared Eran Feigenbaum, Director of Security, Google Enterprise.
Google's auditor in this case was Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council and a member of the International Accreditation Forum.
"This new certification, along with our existing SSAE 16 / ISAE 3402 audits and FISMA certification for Google Apps for Government, help assure our customers that Google is committed to ongoing development and maintenance of a robust Information Security Management System (ISMS) that an independent, third-party auditor will regularly audit and certify," Feigenbaum pointed out.
"ISO 27001 is certainly a big step for Google - complying with this standard is very important for any high growth technology company since in most cases such growth causes weaknesses due to unstructured approach to security. ISO 27001 helps companies systematically resolve most of the information security issues - recognizing what are the biggest threats and then defining precisely how to resolve those threats and who is responsible for doing it," Dejan Kosutic, founder of Information Security & Business Continuity Academy, commented for Help Net Security.
"Having ISO 27001 certificate doesn't guarantee Google is 100% secure, though. For example, Amazon had ISO 27001 certificate for it's AWS, yet in April 2011 it experienced a very well-known outage that had a negative impact on several of their clients, including Reddit, HootSuite, Quora, and Foursquare."
"Nevertheless, this is a very positive step for Google that perhaps won't eliminate all the security issues completely, but will drastically decrease their weaknesses and therefore number of incidents. And that is something users of their services are certainly looking forward."