ENISA has been working throughout 2014 together with the European Commission and industry actors, on an action under the EU Cloud Strategy to make a list of voluntary certification schemes relevant for cloud computing.
The cloud certification list, called CCSL, gives an overview of relevant certification schemes and provides answers to frequently asked questions like: What is the underlying standard? How does a provider get certified? Who audits the security? How many providers are certified?
CCSL was first launched in April with just five certification schemes. The last months ENISA worked with industry to add more schemes and to extend the information on the list. Now the list has 12 individual schemes, including some self-assessment schemes and some schemes commonly used overseas, like PCI DSS and AICPA SOC.
Dan Cimpean (Deloitte), one of the experts in the C-SIG working group on certification, who analysed the SOC standards, explains: “Especially in Europe, cloud stakeholders are searching for a better balance between the compliance burden and the assurance level in the cloud eco-system. More and more cloud service providers consider a SOC 2 report to effectively respond to the expectations of cloud customers for better security”.
Ralph Salomon, from SAP (a large European cloud provider), who analysed the PCI DSS standard, remarks: “SAP's intention is to provide full transparency on the security and compliance status of our cloud offerings to our customers. In Europe we don't need to re-invent certification standards as we can rely on relevant and internationally accepted standards and good practices. SAP very much appreciates and supports the CCSL initiative of European Commission and ENISA as it provides clarity to the customers on relevance and value of standards and good practices.”
In the coming weeks ENISA will also publish a framework to map from customer requirements to the security objectives in existing certification schemes. The Cloud Certification Schemes Metaframework (CCSM) will be launched in January as a procurement tool for the public sector.
For more information visit: https://resilience.enisa.europa.eu/cloud-computing-certification
Stay updated - subscribe to RSS feeds of both ENISA news items & press releases!