BSI Group Australia and New Zealand announces the launch of a new STAR Certification program to assess the security of a cloud service provider.
The STAR Certification program by the Cloud Security Alliance (CSA) and BSI incorporating NCSI, the business standards company, is a rigorous third party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001:2005 management system standard together with the CSA Cloud Control Matrix, a specified set of criteria that measures the capability levels of the cloud service.
The new program addresses concerns from organisations that outsource services to cloud service providers about the security of their data and information. By achieving STAR Certification, cloud providers of every size will be able to give prospective customers a greater understanding of their levels of security controls.
Nick Koukoulas, Managing Director, BSI incorporating NCSI explains both consumers and providers of cloud services have, in response to recent concerns raised by the Government, been asking for independent technology-neutral certification to help them make more informed decisions about the services they purchase and use.
STAR Certification is based upon achieving ISO/IEC 27001 and the specified set of criteria outlined in the Cloud Controls Matrix. There are 11 control points within this matrix covering compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resiliency and security architecture.
The independent assessment by an accredited CSA certification body, such as BSI incorporating NCSI, will assign a ‘Management Capability’ score to each of the 11 control points. Each control will be scored on a specific maturity and measured against five management principles.
The internal report will show organisations how mature their processes are and what areas they need to consider improving on to reach an optimum level of maturity. These levels will be designated as ‘No award’, ‘Bronze’, ‘Silver’ or ‘Gold’. Certified organisations will be listed on the CSA STAR Registry as ‘STAR Certified’.
According to Mr Koukoulas, technological developments in the workplace and desire for employees to be able to work flexibly have led to an increase in business demand for cloud services. However, security concerns prevent many organisations from experiencing the various benefits of cloud services. The STAR Certification is expected to alleviate this problem, as it will provide organisations and consumers with a clear benchmark on which to evaluate the performance of a cloud service provider.
ISO/IEC 27001 is the internationally recognised standard for information security management, and is currently being revised to ensure its relevance for issues and challenges facing companies within today’s rapidly changing technological environment. Certification to ISO/IEC 27001:2005 will still be allowed for a period of time following publication of the new version of the standard. BSI incorporating NCSI will support users through the transition once the new standard has been published.