Akamai and ISO Compliance: Quick Facts
Akamai is currently assessed annually against the controls in ISO 27002, an internationally-recognized standard of controls and best practices within the framework of an Information Security Management System.
The year 2013 saw a major overhaul of both ISO 27001 and ISO 27002. Akamai was assessed against ISO 27002:2013 rather than against ISO 27002:2005 this past year.
Specifically, Akamai's Information Security Management System (ISMS) is based on the ISO 27001/2 (formerly British Standard 17799) Code of Practice for Information Security Management. The company undergoes an annual assessment by an independent third party as part of that.
What follows is a glimpse of how Akamai's procedures apply — and how the company helps customers address their own needs — around the standard.
First, some background:
ISO (International Organization for Standardization) is an independent, non-governmental membership organization and the world's largest developer of voluntary International Standards. Many of Akamai's security procedures were developed around its provisions.
ISO 17799 was originally published in the early 1990s as the "DTI Code of Practice" by the Department of Trade & Industry in the UK. In 1995, it was further developed by BSI committee BDD/2 and published as BS 7799. ISO 27002 is the re-badge or rename of ISO 17799. The name change was part of a large restructure by ISO of their information security related standards. No major change in terms of content was included, given that there was a comprehensive revision of ISO 17799 in 2005.
Another comprehensive revision of ISO 27002 took place in 2013.
The latest version, ISO 27002:2013, contains 35 control objectives and 114 specific controls, organized into 15 sections.
Supporting text under each control objective contains advice on how to satisfy the objective, and mentions a number of best practice information security controls. Throughout the standard, the need for risk assessment is emphasized.
You can read more about ISO security standards here: http://www.iso.org/iso/home/about.htm
At Akamai, the Compliance Management module for ISO includes several of the company's policies and procedures. Because individual reviews don't scale well across multiple customers, Akamai provides free support services for customers who require more in-depth compliance, audit, and assurance review.
These audits affect the entire company, both corporate facilities and the production network of tens of thousands servers in approximately a thousand networks. Akamai provides the summary of findings from that assessment to customers as evidence that its security program is in place and functional.
As part of the process, Akamai provides scan results of the network infrastructure with false positives removed as part of the PCI Compliance Module.