The British Standards Institution (BSI) has certified the first two cloud service providers in the Cloud Security...
Alliance’s Security, Trust and Assurance scheme CSA STAR.
The CSA and BSI launched the certification in September 2013 because ongoing concerns by business about data security continue to be an inhibitor to cloud adoption.
The BSI is an independent assessor for the scheme that was developed to give prospective cloud users a benchmark to measure a cloud service provider’s security controls.
HP and Pulsant have been certified as achieving Silver level, based on the BSI’s scoring on management capability in 11 control areas.
The report submitted to the cloud service provider shows the maturity of its processes and what areas it needs to improve to achieve an optimum level of maturity.
In this way, service providers listed on the CSA STAR registry as STAR certified can move up through the Bronze, Silver and Gold levels.
To qualify for certification, each cloud service provider has to achieve ISO27001 certification and meet minimum standards when assessed against the CSA Cloud Control Matrix.
This assessment covers compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resilience and security architecture.
Each control is scored on a specific maturity and measured against 5 management principles to produce an overall maturity score.
“This certification provides further assurance to our UK government customers that we have gone the additional mile,” said Gursharan Virdi, UK ISO 27001 programme manager, HP.
Fergus Kennedy, head of compliance and information systems at Pulsant said the certification offers a path to improvement.
“And because it is audited by an independent body, it holds infinitely more weight than existing self-assessment/self-declaration models,” he said.
Suzanne Fribbins, risk management specialist at BSI said the certification creates a transparency in the industry that will help businesses to evaluate the performance of a cloud service provider.
“Certification also offers reassurance that specific cloud security risks have been addressed,” she said.