Standards – just the starting point?

Standards – just the starting point?

The ISO was founded with the idea of answering a fundamental question: “What's the best way of doing this?”

Written by Phil Alsop, Editor, DCS Europe Published Thursday, 21 January 2021 09:23

With many of us already weary with life seemingly in mid-pandemic slow motion, the idea of trying to convince readers of this blog that ISO standards are not only necessary but, as applied to data centres, can even be somewhat interesting, and just occasionally a little bit exciting, is a hard one to sell!

The International Standards Organisation (ISO) exists to develop industry or stakeholder driven standards. That’s to say, there isn’t a remote committee of folk, with their heads in the clouds, who make random decisions as to which industries require some new standards. No, the ISO’s job is to respond to the demand from industry and/or consumers to develop a new standard covering a particular subject matter. And the standards thus developed can be extremely broad, or very specific indeed.

The ISO standards development process consists of one or more technical committees, made of international experts (which will be from the relevant industry, but can also be from consumer associations, academia, NGOs and government), who discuss the scope, definitions and content of a standard (the standard may well have multiple parts).

The ISO was founded with the idea of answering a fundamental question: “What's the best way of doing this?” And this is still the guiding principle, as the technical committee reaches a consensus for a draft ISO standard, requesting input and feedback from all relevant parties, which is then used to amend the draft standard until, after a period of approximately three years, what was an initial idea is finally published as an ISO standard.

For the data centre industry, I would suggest that there are two types of ISO standard – general and specific.

Under the general heading, come the ISO standards which are all but compulsory for any business which wishes to be taken seriously by its customers and suppliers: the ISO 9000 series – which covers quality management systems (which basically tells folk that you know what you are doing!); and ISO 14001 – environmental management systems, pretty much a must have in this day and age, when carbon footprints and sustainability are the top of many boardroom agendas.

Sticking with the more general ISO standards as they might apply to the data centre, we also have ISO 27000, which covers information technology security techniques/information security management systems; ISO50001, which focuses on energy management systems; ISO 55000 on asset management, and ISO 22301, all about security and resilience – business continuity management systems.

Importantly, all of the above standards offer the possibility of certification. In other words, in order to demonstrate compliance with any or all of these ISO standards, an organisation can pay for a third party audit which will (hopefully!) confirm that the organisation does indeed meet the requirements of the standard(s) and, as a result, is issued with a certificate demonstrating this compliance.

At this juncture, it’s worth remembering that, as a rule, the ISO standards are not prescriptive – i.e., they don’t say ‘you must use the following exact pieces of equipment and/or management practices in order to comply’ – rather, they provide a framework around which a compliant solution can be built.

It’s also worthwhile to point out that the ISO standards offer a simple pass/fail model. There’s no granularity when it comes to those companies who have any particular standard, nor is there any continuous improvement pathway within a standard.

And so we arrive at the data centre specific ISO standards. Broadly speaking, we are concerned with two main ones: ISO 30134 and ISO 22237. It’s also important to note that the standards that follow are more about establishing best practices than providing organisations with a piece of paper they can brandish to demonstrate any kind of compliance.

The ISO 30134 set of standards covers data centre key performance indicators (KPI). These include our old friend power usage effectiveness (PUE), renewable energy, equipment usage and energy efficiency for servers, cooling efficiency, energy reuse, water usage effectiveness and carbon usage effectiveness.

Meanwhile, the ISO 22237 standards focus on data centre facilities and infrastructures. The following topics are covered: building construction, power distribution, environmental control, telecommunications cabling infrastructure, security systems, management and operational information and earthquake risk and impact analysis.

And, just when you thought that was enough ISO standards with which to be getting on, there’s plenty more to consider. The ISO 11801 standards cover cabling in detail, and then we are on to what seem to be some data centre specific ones which are one-offs. These include: ISO 23544 application platform energy effectiveness and ISO 30133 guidelines for resource efficient data centres (both under development); ISO 21836 server energy effectiveness metric; ISO 23050 impact on data centre resource metrics of electrical energy storage and export; ISO 20913 guidelines on holistic investigation methodology for data centre key performance indicators; ISO 21897.2 impact of ISO 52000 standards for energy performance of buildings (an under development standard about another standard!); and ISO 19395 sustainability for and by information technology – smart data centre resource monitoring and control.

Hands up who knew there were that many ISO standards relating to data centres?!

A word or two of caution. Standards can only tell you so much about how well any particular data centre facility is run. Yes, it’s good to know that your chosen colocation provider can put a tick by many, if not all, of the relevant ISO standards, and show you the certificates to prove this, but there’s no substitute for a bit of good old-fashioned tyre-kicking. A data centre visit will tell you at least as much, if not more, about the colo’s attitude to customers, sustainability, operational efficiency (hence competitive pricing) and how up to date, or otherwise, are the facilities.

It’s also worth pointing out the paradox that, the more companies who demonstrate compliance with any particular standard, in a sense the more such compliance becomes devalued. In other words, if every data centre on the planet has ISO 9001 and 14001 certification, then they are all the same – there’s no competitive advantage!

One other note of caution. For some organisations, obtaining quality management systems and/or environmental management systems certification is little more than a box ticking exercise. So, the bare minimum is done in order to obtain a certificate, when so much more could, and should be done.

In summary, as an end user evaluating different offerings from various colocation providers, the absence of ISO9001 and ISO14001 certification should set alarm bells ringing. However, simple possession of these certificates is not necessarily an accurate reflection of the colocation provider’s ‘honest’ attitude to quality, customer service or environmental issues. Do your research on these topics and be ready to ask searching questions that will quickly uncover, for example, a colo’s true attitude to sustainability.

And that’s what you want to uncover – whether a colo provider shares the same approach to business and standards (whether certified or not) as your own organisation. We all have our preferred doctor or dentist at the local surgery. And that’s not because we think the other doctors or dentists are incompetent (or even unqualified!); rather that we have more trust and engagement with a certain practitioner. And it’s the same when it comes to identifying a colocation practitioner.