BSI launches STAR Certification for Cloud Security

1 October 2013

The Cloud Security Alliance (CSA) and BSI the business standards company, today announced the launch of the STAR Certification program, a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Control Matrix, a specified set of criteria that measures the capability levels of the cloud service.

Organizations that outsource services to cloud service providers have a number of concerns about the security of their data and information.  By achieving STAR Certification, cloud providers of every size will be able to give prospective customers a greater understanding of their levels of security controls. 

“In response to recent concerns raised by the Government, both consumers and providers of cloud-based services have been asking for independent, technology-neutral certification to help them make more informed decisions about the services they purchase and use,” said Nick Koukoulas, Managing Director, BSI incorporating NCSI, “In providing a rigorous, user-centric assessment, STAR Certification will provide an additional layer of transparency that the industry has been calling for.”

STAR Certification is based upon achieving ISO/IEC 27001 and the specified set of criteria outlined in the Cloud Controls Matrix.  There are 11 control points within this matrix covering compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resiliency and security architecture.

The independent assessment by an accredited CSA certification body, such as BSI will assign a ‘Management Capability’ score to each of the 11 control points.  Each control will be scored on a specific maturity and will be measured against 5 management principles.

The internal report will show organisations how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity.  These levels will be designated as either “No award”, “Bronze”, “Silver” or “Gold”. Certified organisations will be listed on the CSA STAR Registry as “STAR Certified”.

Mr Koukoulas adds “Technological developments in the workplace and desire for employees to be able to work flexibly have led to an increase in business demand for cloud services.  However, many organisations are wary of cloud services due to a variety of security concerns.  STAR Certification will help alleviate this problem, as it will provide organisations and consumers with a clear benchmark on which to evaluate the performance of a cloud service provider.”   

ISO/IEC 27001 is the internationally recognised standard for information security management.  It is currently being revised to ensure its relevancy for issues and challenges facing companies within today’s rapidly changing technological environment.  To date, the final draft standard has been developed, allowing for ease of integration when implementing more than one management system with some changes being adopted that relate to certain controls being added around security in supplier relationships.  The revised standard is expected to be published during late 2013.

The current standard remains valid and so does gaining certification to it.  Certification to ISO/IEC 27001:2005 will still be allowed for a period of time following publication of the new version of the standard.  BSI will support users through the transition once the new standard has been published.