Together with the DataCenter-Insider the Data Center Group has started a new counseling series that deals with all areas of data centers.
Simply checking off the standard's requirements, like EN 50600 or ISO 27001, is not enough for a standard-compliant data center
or it's operation. That is a misbelief which regularly leads to frustration at audits. Even though it is correct that auditors inspect the object and award the certificate after, this is not always the case because the examiners do not only inspect the data center technically but also ask questions about the organization or the management process.
Hence, data center operators are able to influence the inspection for their benefit by making arrangements beforehand. Similarly to a loan at a bank, the audit begins with a good preparation. Apart from that, empirical values and continuity help. Here are three tips:
Preparation is the essence of a certification. The people in charge should know why exactly they need a certification, what their goal is and which benefit for the company derives from the certificate, even if they are bound to a certification like the ISO 27001, e. g. if they are operators of critical infrastructures. An audit appointment without a good preparation does not stand the chance of success. The inspection criteria or certain workshops say what is expected at the audit and can aid a good preparation in advance.
However, to be ideally prepared, you should also know about the backgrounds of the criteria. When a complex building is inspected according to EN 50600, for example, the examined could easily give inappropriate answers because of a lack of preparation. Hence, they might not be able to explain the security concept, among other things, and this might lead to a denial of the certificate. You should generally not expect much help from your auditors.
Why? Because it is not the auditor's job to counsel or suggest measures. It is actually quite the opposite. Auditors are usually not allowed to counsel. Their task is asking the DC-operator relevant questions for the audit and assess the answers according to a set rubric. They have to be able to make their judgement independently and neutrally. Hence, any counseling for the customer that is to be assessed, especially when paid, is not acceptable in the regulated inspection procedures.
At times it can happen that the people responsible already make decisions during the planning or building process that are not standard-compliant, although knowing about a necessary certification. The inevitable reconstruction work is both expensive and time-consuming. It is a mistake that can easily be avoided
when the experience of specialists is considered. Of course, a non-specialist architect can plan and implement an IT-security room. However, due to the lack of expertise it often happens that the rooms need to be adjusted afterward because
they do not have the appropriate protection against unauthorized access, fire, water or explosions. That is why you should consider talking to an expert who can accompany the building process and, ideally, also the planning.
Moreover, DC-operators should think about which resources they have for a certification. They should budget the assignment of employees and organizational measures, especially against the backdrop of an inevitable recertification which usually happens every second or third year and which examines whether the data center and its operation still corresponds to the standards.
Especially the implementation of possible improvement restrictions from the previous audits has to be attested. Many companies stall or forget about the consistent implementation of a continuous improvement process until the auditor calls again. Usually, there are several documents missing or they were not looked after. Ad hoc, it is tried to implement
all requirements and procure respective attestation. This is generally not effective because one or the other measure is forgotten about or cannot be performed anymore. Besides, experienced auditors notice straight away if a company has not done anything in the last two years.
The series of ISO/IEC 27001 standards functions as a protection of information from different threats.
The aim of EN 50600 is the setting of standards for "availability, security and energy efficiency for the planned durability of the data center".
From A to Z - We Design, Realize and Optimize your Data Center
© DC-Datacenter-Group GmbH
Phone +49 2741 9321-0