The internationally recognised ISAE (International Standard on Assurance Engagements) 3000 and 3402 standards provide insight into the reliability and quality of our data center services. Risk management, the quality of underlying processes and information security were all aspects which fell under the audit. 'Type II’ indicates that the measures were tested over a certain period of time.
To ensure that data is stored securely and properly, customers are increasingly asking for proof of compliance with certain reporting standards such as ISAE 3000 and ISAE 3402. We can now show our customers a report that officially confirms they are safe with us.
After the introduction of the new European General Data Protection Regulation (GDPR), which comes into force on 25 May, 2018, a whole new situation will emerge in terms of accountability. It used to be enough for companies to prove they adhered to the regulations after the event, but they will now have to take a more proactive approach to this. Essentially, they will have to have the required information and documents on hand to prove that they comply with the regulations, even before they are audited. Companies that do not do so will immediately fall into the non-compliant bracket. Not complying with the regulations could have serious consequences; penalties issued under the new EU regulations may reach up to 4% of global turnover.
The fact that we have both standards doesn’t necessarily mean that our customers are GDPR compliant, but it does get them much closer. After all, the first step for customers to take to comply with the regulations, is to make sure that their IT data is stored securely. Since LCL has both standards, our customers know exactly where they stand. It makes it much easier to assess risk management.
The audit for both assurance reports was conducted by Deloitte. Unlike for an ISO certification, there are no specific criteria for the ISAE with which a company must comply. Therefore, three aspects were chosen: access to the data center (fencing, video surveillance, door), incidents and the reporting thereof, and maintenance (of the fence, the generators, the UPS, etc.). The audit lists the measures which were implemented in practice to manage risks and secure information.