ISO 27001 aims to build confidence when choosing cloud providers
The British Standards Institute (BSI) and the Cloud Security Alliance (CSA) have launched the Star certification programme aimed at giving cloud service providers a neutral assessment of their security provision.
The Star programme combines the ISO/IEC 27001:2005 standard with the CSA’s Cloud Control Matrix. This combined set of criteria measures the capabilities of the cloud service, the CSA claimed.
Both organisations signalled their intention to develop the programme last August. This followed a survey which found that customers cited a number of concerns about the security of their data and information with cloud providers. By achieving certification, cloud providers would be able to offer customers a greater understanding of security control levels.
Daniele Catteddu, managing director for EMEA at CSA, said, “Especially in light of recent government revelations, both consumers and providers of cloud-based services have been asking for independent, technology-neutral certification to help them make more informed decisions about the services they purchase and use.
“In providing a rigorous, user-centric assessment, Star certification will provide an additional layer of transparency that the industry has been calling for,” she added.
Cloud providers going through the Star programme will be given an internal report following an independent assessment by an accredited body, such as the BSI. This assessment of the cloud provider will score them against 11 control areas within this matrix covering compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resiliency, and security architecture.
Providers will be awarded one of four levels: No, Bronze, Silver or Gold. This will show if they have passed and the maturity of their internal processes. Certified organisations will be listed on the CSA Star Registry as “Star Certified”.
Elaine Munro, head of global portfolio management at BSI, said, “Technological developments in the workplace and desire for employees to be able to work flexibly have led to an increase in business demand for cloud services. However, many organisations are wary of cloud services due to a variety of security concerns.
“The Star Certification will help alleviate this problem, as it will provide organisations and consumers with a clear benchmark on which to evaluate the performance of a cloud service provider,” she explained.