ISO Standards as tools for data centre management
Fri 15 Jul 2016
The International Standards Organisation, ISO, and its companion body the IEC (International Electrotechnical Commission) have published many management standards aimed at improving the standard of management across all forms of enterprise, from private companies, education sector and even government departments and institutions.
Data centres can benefit from ISO management standards and techniques as much as any other business, and it is worth considering what the relevant standards are, as well as what they do and do not cover, in a data centre context.
The most important published standards are: ISO 9000 Quality management system; ISO 14000 Environmental management system; ISO 22301 Business Continuity Management; ISO 27000 Information Security Management system; ISO 50000 Energy Management system; ISO 55000 Asset management.
And coming soon…
ISO 30134 Information Technology (Data Centres – Key performance indicators); ISO 45001 Health and Safety requirements; ISO 41000 Facilities Management.
ISO 27000 family is aimed at the IT sector but is not specifically a data centre standard. Only the draft ISO 30134 specifically addresses data centres. ISO 45001 is based on the very popular British Standard BS OHSAS 18001.
Deciding ISO standards for data centres
ISO 27000 is a large family of standards. At the last count there were 26 published documents and ten more in preparation. There are dedicated documents relating to the telecommunications, financial and health industries. ISO27000 is an Information Security Management standard and is not specific to data centres although many data centres have gone for this certification and so it is instructive to see what it covers and what it doesn’t.
We can see that it expects many facilities management details to be filled in by other standards, as it only covers these issues at the very highest level.
The two documents of most immediate interest to data centres are ISO/IEC 27001: Information security management systems – Requirements and ISO/IEC 27002: Code of practice for information security controls.
ISO27001 is the Standard whereas ISO27001 is the Code of Practice that describes the Controls that need to be in place to ensure compliance with ISO27001.
How ISO standards consider ‘power’ in the data centre
Most people would agree that in the provision of facilities management in a data centre the reliable supply of power and cooling is the most important. Original research from Capitoline showed that across a sixty-month period, excluding IT-related issues, the most common cause of data centre catastrophic failures was caused by loss of power. Power failures accounted for 43% of all outages and 34% of the total down time.
If we look at ISO27001 first, “Power” only appears twice. Once in connection with security of power cables and again, in connection with protecting equipment from power failures and failures in other supporting facilities.
A.11.2.2 Supporting utilities – Control
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.
In another section, redundancy is required, but only to the level sufficient to meet availability requirements. What these requirements are aren’t defined, and this is another example of where the resilience Ratings and Classes of EN50600 and TIA942 (also sometimes referred to as ‘Tiers’) need to be understood and implemented:
A.17.2.1 Availability of information processing facilities – Control
‘Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.’
ISO 27002 is the Code of Practice which gives a bit more supporting evidence to meet the Controls and Objectives of the Requirements statements of ISO 27001. For example:
11.2.2 Supporting utilities – Control
‘Equipment should be protected from power failures and other disruptions caused by failures in supporting utilities.’
Supporting utilities (e.g. electricity, telecommunications, water supply, gas, sewage, ventilation and air conditioning) should conform to equipment manufacturer’s specifications and local legal requirements;
be appraised regularly for their capacity to meet business growth and interactions with other supporting utilities; be inspected and tested regularly to ensure their proper functioning; if necessary, be alarmed to detect malfunctions; and, if necessary, have multiple feeds with diverse physical routing.
There are therefore large sections of Chapter 11 within ISO 27001/2 that need additional detailed inspection, audit and report to fully answer these broad questions.
We suggest that within Europe the ideal standard to use to answer these questions properly is EN 50600 Information technology.
Outside Europe either EN 50600 or TIA 942 (Telecommunications Infrastructure Standard for Data Centers) would be appropriate. Both EN50600 and TIA942 fully describe the facilities requirements of a data centre and provide a four-level Rating method to describe the resilience and redundancy level of the site.
Unlike the private commercial standard from the UpTime Institute and its ‘Tier’ level method, which only addresses power and cooling, EN50600 and TIA942 address power, cooling, cabling, architectural and location requirements, fire safety and BMS/DCIM.
EN50600 is Europe’s own data centre standard and is also the first standard to specifically address data centre management issues. The proposed structure of the standard is: EN 50600 -1 – General concepts;
EN 50600-2 – Physical Infrastructure; EN 50600-3 – Management and operation; and EN 50600-4 – Energy management and Resource efficiency.
You can use the existing and proposed set of ISO management standards to manage your data centre to the highest professional level. However standards such as ISO27000 say virtually nothing about the detail of power, cooling and other facilities infrastructure requirements that are so vital to a data centre. Therefore use additional standards such as EN50600 or TIA942 to demonstrate compliance with the ISO 27001 and 27002 requirements for secure power and other infrastructure facilities. Professional external auditors can be used to demonstrate compliance with all relevant standards.
Barry Elliott has held senior technical support positions in the Civil Aviation Authority, BICC, Brand Rex and Honeywell Control Systems. In 2005 he set up Capitoline as an independent engineering consultancy specialising in data centre design, audit and training. Barry has a degree in communications engineering from the University of Kent, an MBA and is a chartered engineer with two institutions, the IET and CIBSE. Capitoline advises many corporate customers on data centre facilities requirements, from both audit and training perspectives and advises the United Nations, European Space Agency and the Amsterdam Internet Exchange, among many others.