Today is a big day for Cisco Spark – we’ve officially received our ISO27001 certification!

For those unfamiliar with it – this certification gives our customers confidence that we’re following best practices around operating a secure cloud service. Indeed, many customers even require their vendors to have this certification. It’s a very formal process which defines a long list of operational requirements that a service needs to meet, document how it is meeting them, and then prove that it keeps on meeting them. It covers everything from incident management to inventory control to access controls to vulnerability scanning and even personnel management. Customers want to be sure that we’re doing all of these things and doing them well. Rather than having to ask about every single detail, they can instead know that – because we have this certification – we’re doing all of that stuff, and following best practices for them.

Achieving this certification is a LOT of work. Fortunately, we were starting from a great place. Cisco as a whole has very strong operational requirements in place for all products. And if you follow those, you end up doing most of what these certifications require. Furthermore, we built upon the success of WebEx, which has had ISO27001 certification (and a long list of others – SOC2 type 2, Safe Harbor, FedRamp, and SSAE16). Cisco as a whole also has ISO9001 certification, which helps.

If the application doesn’t have ISO27001, there is really no security protection at all. Cisco Spark has this certification for the entire application, inclusive of the underlying data centers.

Because of this strong foundation, we were able to achieve this certification very quickly – just six months from the start of the process. Much of that time was spent collecting information and documenting all of the things we do, as the certification process is very heavy on documentation.

Unfortunately, it has become common for vendors – particularly startups – to make claims like, “runs on ISO27001 certified data centers.” What this actually means is that their software runs in an Amazon or other data center that has the certification, but the certification does not apply to the application itself. Getting the certification for the actual application itself is what really matters – since the application is what holds and processes customer data. If the application doesn’t have ISO27001, there is really no security protection at all. Cisco Spark has this certification for the entire application, which is inclusive of the underlying data centers too.

Another aspect of this that I’m really proud of is that our certification isn’t just for Cisco Spark. It’s a certification that covers Cisco Spark and WebEx. These services share infrastructure, and through our Flex Plan subscription, are also sold together. With a shared certification, customers can feel confident in the security of their data no matter what products they use.

Of course, we’re not resting on our laurels. More is to come as we work toward being the most secure collaboration tool on the planet. When you combine this certification with other application innovations like our end-to-end security and on-premises key servers, no one comes close to the type of security offered by Cisco Spark.

Learn more about security compliance with Cisco Spark.



Jonathan Rosenberg

Cisco Fellow and Vice President

CTO for Cisco's Collaboration Business