Cloud Security

Keeping IT networks and data secure is critical to business. The need for more cost-effective storage and software solutions together with mobile access has led to a rise in the adoption of cloud computing – and while cloud computing has opened up many new opportunities, it also presents a number of new security risks to company information. Through the implementation of ISO/IEC 27001, the most widely adopted international information security management standard, organizations can ensure that they have full understanding of the risks involved and the business impacts such that controls can put in place to protect business critical information.

What is STAR certification?

As with all management system standards, ISO/IEC 27001 has been written in such a way that it can be applied to any organization, large or small, across all industries. As such, it is felt that there are special requirements specific to cloud computing that are either not covered or need to be covered more precisely.

Developed by the Cloud Security Alliance (CSA) the Cloud Controls Matrix (CCM) bridges this gap, by providing an additional set of controls for cloud service providers.

A joint agreement was signed by the CSA and BSI in August 2012 to develop a third party certification scheme for cloud security called STAR certification. The scheme incorporates the requirements of ISO 27001, and a maturity rating to indicate how well an organization is complying with the additional cloud specific requirements and also to drive optimization efforts by assessing the organizations capabilities and complexities as well.

This new scheme will assist in the adoption of cloud services by business by promoting greater transparency and allowing cloud service providers (CSPs) to provide their stakeholders with confidence that they have the necessary controls in place to secure the data they hold.

What are the benefits of STAR certification?

While there are no regulatory mandates, STAR certification will allow:

• Full visibility for top management to evaluate the effectiveness of their management system in relation to expectations of the international standard and the cloud security industry

• A tailored audit to be implemented which will reflect how an organization's objectives are aimed at optimizing the cloud services

• An organization to demonstrate progress & performance levels via an independently validated award from an external certified body

• Organizations to benchmark their performance against their peers.
STAR certification will give prospective customers of the certified organization a greater understanding of the level of controls that are in place as well as highlighting areas in which an organization might wish to focus.

Who is STAR certification for?

The scheme is available to any organization offering cloud services that has, or is in the process of certifying to ISO/IEC 27001. The scope of the ISO/IEC 27001 certification must not be less than the scope of the STAR certification.

While there are no regulatory drivers for companies to seek certification, Cloud Service Providers (CSP) are now seeking more robust certification arrangements. As their clients put a high level of trust in them, a CSP will need to demonstrate greater assurance that this trust is not misplaced. For IT suppliers, this is particularly important as their customers will often not be experts in IT security and therefore will look for independent third-party certification as an indication of the organizations competency to deliver cloud services.

STAR certification will provide reassurance as it requires the organization to address the specific issues that are critical to cloud security and the maturity model assesses how well managed the activities in the control areas are.

How to get certified to ISO/IEC 20000-1

  1. ISO/IEC 2000-1 Service Management system certification should be hassle-free. You’ll be appointed a BSI Client Manager, a trusted expert with relevant industry experience to your business, who can guide you through the process.

    The steps to ISO/IEC 20000-1 certification:

    1. ISO/IEC 20000-1 gap analysis

    An optional service which takes place before your assessment visits. We’ll take a closer look at your existing information security management system and compare it with the requirements of the ISO/IEC 20000-1 standard. It’s a really cost effective way to check if there are any areas you need to work on before we carry out a formal assessment.

    2. Formal assessment

    A two-stage process. First your BSI Client Manager will review your organization’s readiness for assessment by checking if the necessary ISO/IEC 20000-1 procedures and controls have been developed in your organization. We will share the details of our findings with you so that if we find gaps, you can close them. Next, if all the requirements are in place, we’ll assess the implementation of the procedures and controls within your organization to make sure that they are working effectively as required for certification of ISO/IEC 20000-1. 

    3. Certification and beyond

    When you achieve certification you’ll receive your BSI ISO/IEC 20000-1 certificate which is valid for three years. Your BSI Client Manager will visit you regularly to make sure your system doesn’t just remain compliant, but it continually improves and adds value to your organization.