If you read our new and improved Security page, you’ve probably seen us namedrop ISO 27001 and PCI compliance, and today we’re going to go over what these certifications mean for you, your organization, and keeping your web projects and data/content safe.
What are certifications?
Certification programs can help companies who undergo them prove a certain standard to which their products and/or services live up to. Clients and users, particularly large-scale customers where large sums of revenue can be on the line, value certifications as part of development and maintenance of trust, performance, good practices, and communication by the organization they’re dealing with.
It is best that certification is validated, along with subsequent audits to maintain certification status, by independent third-party auditors. This provides an objective view by removing the possibility of bias and conflict of interest from the equation.
Why should I care?
There are many benefits to working with an organization that is certified because it is an indicator of quality and competency — security is just one part of it, since this same statement can be applied broadly across certifications of all kinds. For instance, you’re likely going to be much more confident and not have to consciously worry about getting sick when you enter a restaurant, which you know is licensed and adheres to food safety standards, compared to a random pop-up stall by the highway you’d never seen before.
What starts with the benefit of peace-of-mind can translate into improved efficiency that can improve your bottom-line and, in the event of unforeseen incidents, limit impacts to it. In the case of security, those positive impacts can include:
- High uptime and availability of your content so your site is always reachable. This is especially important for organizations which rely directly on their web presence to generate revenue, such as ecommerce and online retailers
- Reduction in costs from avoiding unwanted incidents that could affect content availability or your users
- Subsequent increase in reputation and public relations from keeping the trust of your users
- Ability to stay informed of set standards and what they entail since specifications of various certifications tend to be made available by the bodies that set them
In an effort to save time and resources to build from scratch or bend an existing solution to fit needs, an increasing number of modern web projects are built using a combination of Software as a Service (SaaS) solutions. This makes security certification even more crucial because you want to remain assured that the APIs you’ll be plugging in aren’t evil, and that unwanted incidents and malicious parties are kept at bay.
ISO 27001 certification
This certification is part of a set of information security standards that cover risk management via the use of controls over information security to cover privacy, confidentiality, and cybersecurity. ISO 27001 specifically provides a set of standards for an information security management system (ISMS) that cover:
- Definition of a security policy
- Scope of ISMS
- Assessment of risk
- Management of risk
- Implementation of controls
The standard states the need to provide details surrounding security documentation, responsibility of management, auditing, continuous improvement, as well as preventative action and corrective steps that will be taken in regards to incidents.
Contentful’s infrastructure runs on Amazon Web Services (AWS), and the data centers where your content is stored and delivered to users are ISO 27001 certified. Contentful itself is on the way to becoming ISO 27001 certified in 2019.
The Payment Card Industry Data Security Standard, or PCI DSS for short, is a standard set by a council founded by the five main payment card providers (AMEX, Discover, JCB, MasterCard and VISA) to unify the individual information security programs and policies that each of these providers originally had.
The standard calls for requirements to ensure the security of cardholder data, network and systems in which such data is transmitted over, vulnerability management, access control, network monitoring and testing, as well as a policy on information security. The six criteria serve to highlight key areas of security that any organization wanting to live up to compliance should be accountable for enforcing.
While Contentful does not deal directly with your payment information, be it credit card or personal data, we do use Stripe as a payment processor. So it is just as important to us, as it is for you, that the payment processor we use is trustworthy, maintains practices to keep your payment info safe, and complies with the PCI DSS standard. As mentioned in our security page, Stripe also utilizes various other measures to reduce payment fraud and access by unauthorized parties.
Security is a top concern at Contentful, which is why we keep the infrastructure that we’re hosted on ISO 27001-certified and also do business with a payment processor that complies with the PCI DSS standard. Contentful itself is on the way to becoming ISO 27001 certified in 2019. We’re already also GDPR-compliant, and strive to maintain best practices and keep our standards high because we care about your security and privacy, as well as that of your content and its uptime.
Of course, it takes two to tango and there are also ways you can keep the security of your website and its operations covered from your end.
We've recently launched two brand new data sheets detailing Contentful's vulnerability management and security incident response respectively. For more information about these data sheets, please talk to your Contentful sales contact or account manager.