Press Release

Security and data protection: OVHcloud expands ISO 27001 and ISO 27701 certifications to its cloud offerings

Press Release

OVHcloud announced today that it has achieved new certifications in information security and data privacy, marking a new phase in its broader certification policy and commitment to customers.

With the newly obtained ISO/IEC 27001 and ISO/IEC 27701 for most of its cloud solutions, OVHcloud has further consolidated its arsenal in order to strengthen customer trust in the security of its infrastructure. The scope of certification covers the following products:

  • Public Cloud: Compute, Storage (Block, Object, Archive, Snapshot, Instance Backup), Managed Kubernetes® Service, Cloud Databases, Data Processing, ML Serving et AI Training.
  • Hosted Private Cloud Premier, Managed Bare Metal, Serveurs Bare Metal, NAS, Backup storage, Logs Data Platform et Trusted Exchange.

For these products and all supporting information systems, OVHcloud has implemented an Information Security Management System (ISMS) and Personal Information Management Systems (PIMS) evaluated by a third-party auditor as part of an in-depth audit. This audit resulted in the obtaining of:

  • Certification according to the ISO/IEC 27001 standard supplemented by the requirements of ISO/IEC 27017, specific to cloud services security and ISO/IEC 27018 relating to the requirements of personal data protection. This certification enables all organisations and their DevOps teams to deploy services in OVHcloud’s environment in accordance with the highest security standards.
  • Certification according to the ISO/IEC 27701 standard, to explain how the personal data hosted by its customers on OVHcloud solutions are specifically protected. This recent certification (2019), which still involves few players, is based on a global standard that reflects most of the requirements of the General Regulation on Data Protection (RGPD) in a standardised manner.

According to the IDC FutureScape study “Worldwide Cloud 2021 Predictions”, over 80% of enterprises evaluating cloud services for privacy-sensitive workloads will mandate the protection of data sovereignty and the ability to control the corresponding processes across the geographies concerned.

OVHcloud has been committed for many years to constantly improving the security of its information systems. In 2013, the European cloud leader achieved ISO 27001 certification for its Hosted Private Cloud solution and then in 2019 for its Bare Metal Cloud servers.

As a cloud provider, OVHcloud has also adopted a multi-local approach to compliance: in France, it obtained ANSSI[1] security approval for its SecNumCloud qualification in early 2021 and extended the scope of its HDS health data hosting certification to include Public Cloud services that could be used to host healthcare data. In other countries, OVHcloud is developing a roadmap tailored to local regulations, such as C5 in Germany (BSI Cloud Computing Compliance Controls Catalogue), AGID in Italy (Agenzia per l’Italia Digitale) and ENS in Spain (Esquema Nacional de Seguridad).

“Our certification policy is guided and shaped by the security requirements of our customers,” says Sylvain Rouri, Chief Sales Officer for OVHcloud. “We’re delighted to offer public- and private-sector organisations a portfolio of certified cloud solutions so they can host their data on infrastructures guaranteeing the highest level of security and data protection.” 

"This dual certification, which applies to most of our cloud products, is an important step in our security approach. It provides a virtuous management framework to ensure that good security and personal data protection practices are considered and to improve transparency for our customers," says Julien Levrard, Chief Information Security Officer at OVHcloud.

XMCO supported this approach as internal auditor of OVHcloud’s management system. The external certification audit was conducted by the Laboratoire National de Métrologie et d'Essais (LNE).

For more about OVHcloud’s compliance and certification policy:

[1] France’s national agency for information system security.