Working with the business standards company, ‘BSI Incorporating NCSI’, the Cloud Security Alliance has created a new security standard for cloud services, plus an independent of certification; cloud providers and users have, for some time, been asking for a technology-neutral and independent certification to enable them to make better informed decisions regarding the services they use, and purchase.
Nick Koukoulas, Managing Director of BSI, believes that the new STAR Certification will provide companies and consumers with a clear and understandable benchmark, allowing them to evaluate a cloud service provider’s performance.
Combining assessment for conformance to the ISO/IEC 27001:2005 management system standard, and to the Cloud Security Alliance’s Cloud Control Matrix, the STAR Certification will require organisations to achieve a specified set of criteria that measures capability levels of the cloud service they are offering.
The Cloud Control Matrix (CCM) is designed to deliver a controls framework that addresses the security requirements that a customer will demand from cloud security providers. The framework incorporates: data governance, compliance, legal, human resources, operations management, information security, release management, risk management, security architecture and resilience.
Assessments will be carried out by an accredited CSA certification body, i.e. the BSI Incorporating NCSI, and the provider is assessed on meeting the ISO/IEC 27001 requirements, based on the CCM capability factors: ownership; communication and stakeholder engagement; leadership and management; monitoring and measuring; policies, plans and procedures and a systematic approach; skills and enterprise. The assessment body will allocate a performance score for each capability factor that will contribute to an overall rating of Gold, Silver or Bronze. Certified organisations will be listed on the Cloud Security Alliance’s STAR Registry as ‘STAR Certified’.
By Allie Philpin