ETSI standard for secure electronic data archives

ETSI Headquarters, Sophia Antipolis, France - May 2011

ETSI TC ESI publishes a new standard, TS 101 533-1, detailing security requirements for Information Preservation Service Providers, or electronic data archiving services, applying the provisions of ISO/IEC 27001.

At a time when the developing field of Cloud Computing is grabbing headlines, a quiet revolution is already underway in businesses and public service providers across Europe. Organizations are turning towards online data archiving services to manage their ever-increasing data storage requirements. With the growth of electronic transactions, online VAT and tax returns, and additional legal obligations for data retention relating to e-mail records for example, such archiving services are becoming a necessity. Public authorities and health services are also generating enormous amounts of data and records annually which must be stored securely.

Dependence on these services prompts customers to ask a number of questions: 'Will my data be secure, that nobody has unauthorized access? Will I be able to access it whenever I need to? Can my data be audited, to verify nobody has modified it?  Can I be certain it will still exist in 8 or 10 year's time? Will I be able to read and interpret my data files then?'

ETSI's Technical Committee for Electronic Signatures and Infrastructures (TC ESI) has just developed and published a new specification which can help to answer these questions. ETSI TS 101 533-1 specifies security requirements for Information Preservation Service Providers. This new Technical Specification focuses on the security aspects of providing electronic data archiving services, and applies the provisions of ISO/IEC 27001 to this important industry.

In addition, ETSI TC ESI has also published a Technical Report, TR 101 533-2, to provide guidelines to enable assessors to review and audit the security of Information Preservation Services.

The publication of these two documents by ETSI will provide clear indication to service providers of the security requirements they need to comply with. Auditors and assessors now have clear guidelines on how to verify compliance with these requirements. Together, these will encourage the availability of certified, audited Information Preservation Services. Customers, whether in industry or in the public sector, will now be able to choose an electronic data archiving service provider with confidence.

Copies of these documents, developed with funding from a European Commission Standardization Action Grant, are available for free from the ETSI Publications Download Area.