According to security consultant Alec Muffett, though, the certification is not a "seal of approval", as it permits a vendor to set its own benchmarks to be measured against. "In sporting metaphor, a vendor, in this case, Google, gets to design their own high-jump bar, document how tall it is and what it is made of, how they intend to jump over it and then they jump over it," Muffett told Computerworld UK. Swidler responded by saying while he agreed there is no such thing as a 100 percent security guarantee, he took issue with the idea that Google laid out its own benchmarks for the ISO certification. "This notion of vendors specifying the controls they are having to look at is more applicable to the SSAE 16 / ISAE 3402 audit that we do," Swidler said. "That is a case where we, Google, say, 'Here are the security controls'." "In the case of ISO 27001, it's a much more proscribed set of industry controls," he said, noting that the specified controls are public for anyone to see. Swidler also pointed out that while some vendors gain certification only for their datacentres and perhaps their infrastructure, Google has gone through the process also for its software, code processes and personnel — "everything that's relative to customers has been looked at", he said. While the certification is for Google Apps for Business only, there is some benefit to users of Gmail and the free standard edition of the cloud suite, according to Swidler. "There is a tremendous amount of overlap at the core technology layer, though there are some pieces of technology only available in Google Apps for Business," he said.