How do Virtual Data Rooms Comply with the ISO/IEC 27000 Information Systems Management Standard?

Last update on .

How do Virtual Data Rooms Comply with the ISO/IEC 27000 Information Systems Management Standard?
Corporate information, being a key company asset, is exposed to high risks caused by the intensity of business operations, competition and multilateral communications. This makes data security a critical concern for corporations and creates the need of comprehensive information security management to deal with planning, optimizing, controlling and protecting corporate information contents and flows. As a tool for structuring and disclosing sensitive company information, virtual data rooms are to be included in the corporation’s information security management system, and tested for compatibility with international standards such as ISO/IEC 2700.

Information security and ISO/IEC 27000

The ISO 27000 family of standards was developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) with the aim to assist corporations in establishing and continually improving information security management systems (ISMS) by providing a set of standard requirements.

The most popular standards among the ISMS are ISO/IEC 27001, Information security management systems — Requirements, and ISO/IEC 27002, Code of practice for information security controls.

Virtual Data Rooms

Virtual data rooms are software solutions enabling simultaneous access to and exchange of documentation by a number of users in a structured and controlled setting. They are commonly used in international projects, due diligence processes, M&A transactions, and corporate disclosure to regulatory bodies.

Virtual data rooms improve the efficiency of the transaction process and provide an environment for stringent information management within a certain project or process.

How do virtual data rooms fit into the ISO 2700 system?

Various virtual data room features relate directly to the requirements ISO 2700 and ensure better information security management.

Key ISO 2700 Control Areas and Data Rooms’ Contribution to Their Enhancement:

Identification of Assets & Responsibilities

The company’s asset virtual data rooms are dealing with is documentation. They help its owners to structure relevant information, identify relationships between information areas and define individual company or team members responsible for specific items. The end result is greater accountability, transparency and efficiency of managing information assets.

Access Control

Data room managers are entitled to set different user permission rights towards the data room and its contents. Usually, levels of access are tiered in terms of folder and file accessibility, i.e. the ability to access, download, review, add, update and remove data room items. 
A useful virtual data room feature is the Audit Log that keeps a record of all user activity on the system and can be used as a monitoring tool.

File Protection

Most virtual data rooms use a 128 Bit SSL Encryption that is the current business standard for protecting data. More advanced data rooms provide a 256 Bit encryption which is two times more powerful and considered ‘uncrackable’.

Another data room feature that safeguards corporate are dynamic watermarks. Upgrading on the standard logo watermarks dynamic watermarks indicate who downloaded each downloaded document and when.

The reliability of the system is often supported by functionalities such as data backup and virus scanning.

How to choose a virtual data room?

There are various data room providers offering different sets of functionalities and pricing options. If you want to ensure compatibility with the highest ISMS standards, pay special attention to the following:

  • File encryption
  • User management options
  • Data room hosting
  • Terms & conditions of the provider regarding ownership and control of the data contained in the data room

Selecting a secure virtual data room is an important step but it brings you only halfway in ensuring your corporate information is safe. What is even more important is to carefully allocate responsibilities and access rights, and continually monitor user behavior within the data room.


Image courtesy: Purple Slog, 2008, Flickr CC.


blog comments powered by Disqus