Today we are happy to announce Elastic's certification for compliance with ISO/IEC 27001:2013, 27017:2015, and 27018:2019 as well as completion of Cloud Security Alliance (CSA) Security Trust and Risk (STAR) certification. These certifications, performed by independent third-party auditors, are evidence of our commitment to information security and privacy at every level of our organization, and that the Elastic security program is operating in accordance with industry-leading best practices.
In addition to the ISO 27001 certification with 27017 and 27018 attestations, we have also completed the Cloud Security Alliance (CSA) Security Trust and Risk (STAR) certification across Elasticsearch Service, App Search, and Site Search.
ISO 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance.
The basis of this certification is the development and implementation of a rigorous security program, which includes an Information Security Management System (ISMS). This system defines how Elastic continually manages security by:
- Systematically evaluating our information security risks, taking into account the impact of threats and vulnerabilities
- Designing and implementing a comprehensive suite of information security controls to address Elastic’s and our customers’ hosted information security risks
ISO/IEC 27017:2015 provides requirements for information security controls applicable to the provision and use of cloud services by providing:
- Additional implementation guidance for relevant controls specified in ISO/IEC 27002
- Additional controls with implementation guidance that specifically relate to cloud services
ISO/IEC 27018:2019 provides assurance that cloud service providers, like Elastic, who process personally identifiable information (PII) offer suitable information security controls to protect the privacy of their customers by securing PII entrusted to them.
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2013 management system standard together with the CSA Cloud Controls Matrix.
For more information, refer to our Security and Compliance webpage.