A certificate for the registry

The domain name registry is ISO 27001 certified. Why is this necessary?

Text: Christa Falkensammer, published on 08.09.2014

SWITCH's Chief Information Security Officer answers the burning questions about the domain name registry's information security management system.

Why did SWITCH apply for certification?

The Domain Name System SWITCH operates is among Switzerland’s critical infrastructures. Were it to break down, the impact on the population and the economy would be severe. This is why SWITCH has a number of multi-level backups of the Domain Name System in place (see article "Reliability doesn't happen by accident") On top of this, we wanted to create an additional layer of security in the form of an information security management system (ISMS) and have this certified under ISO 27001. ISO 27001 is the global standard for ISMS certification. The aim of the ISMS is to protect information based on an analysis of business risks in terms of confidentiality, integrity and availability.

What do setting up and certifying an ISMS entail?

SWITCH formed an Information Security Committee (ISC) last year. Working at management level, it draws up security guidelines, assesses risk analyses andplans measures to enhance information security. As Chief Information Security Officer, I head up the ISC .I take instructions from the ISC and am responsible for the operation and continual improvement of the ISMS.

We carried out a business impact analysis to evaluate critical business processes and worked out emergency scenarios and measures to mitigate these and limit the damage caused.With a view to ensuring that normal operation can be restored as quickly as possible in the event of faults and emergencies, we defined a practically oriented incident management process and tested it in a number of emergency exercises.

The consulting firm AWK Group helped SWITCH set up the ISMS. After this intensive phase, SQS awarded SWITCH its ISO 27001 certification. We are thus among the first registries in Europe to have a certified ISMS.

What does this mean for the future?

We share our experience with other registries to maintain the security of the overall system for domain names and take it to the next level. Rolling out ISMSs is also on the agenda for Swiss universities.SWITCH will let them, too, benefit from its experience.

However, SWITCH does not intended to rest on its laurels. The process of continual improvement is vital to the ISMS and is thus embedded in all its phases and procedures. Security is an ongoing process, not an end result. The next interim audit by SQS is already scheduled. Certification is a continuing commitment.

About the author
Christa   Falkensammer

Christa Falkensammer

Christa Falkensammer is Chief Information Security Officer (CISO) at SWITCH and in charge of the information security management system. She gained her Bachelor’s degree and Master of Science in business information systems at the University of Applied Sciences and Arts Northwestern Switzerland.

Other articles