FlyingPenguin has posted a good critique of my earlier post about Amazon’s ISO 27001 certification. Here’s a succinct correction: To quote Wikipedia, ISO 27001 requires that management:

• Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

ISO 27002, which details the security best practices, is not required to be used in conjunction with 27001, although this is customary. I forgot this when I wrote my post (when I was reading docs written by my colleagues on our security team, which specifically recommend the 27001 approach, in the context of 27002). In other words: 27002 is proscriptive in its controls; 27001 is not that specific. So FlyingPenguin is right — without the 27002, we have no idea what security controls Amazon has actually implemented.