Audit of cloud services

Similar to other industrial and commercial sectors, many cloud services providers are trying to “sell” their customers current ISO certification as a total and verifiable quality assurance of the cloud services they provide. In discussions on certification of cloud services and solutions it is necessary  to take into account that there are many certification processes and certification schemes based on traditional standards for data centers, the certification of technical equipment and components as well as on an assessment of the structure and content of contracts and relationships between customers and suppliers of goods and services. The focus is mostly put on safety (standard ISO 27001/27002) and quality management (eg. CoBIT), or extending the special features (SOX Compliance SSAE16 / ESAE3402, formerly SAS70). It should be emphasized that it is only the meaningful combination of several control mechanisms, based on different standards that is able to provide a competent answer  to the basic question, i.e.  whether the provision of cloud services has a sufficient quality level for specific requirements, i.e., whether it is appropriate for the customer and their specific type of business.

The certification process usually begins with quality control focusing on with technical requirements, safety, data protection, compatibility and compliance assessment.

As this  form of certifications is very extensive,  time consuming, requiring expert skills and experience new specific certification frameworks have been developed. They contain essential requirements implemented into standardized test protocols and these are applied through trusted contractors or contracted certified specialists.

ISO 27001  Standard  (Information Technology – Security Techniques – Information Security Management Systems – Requirements) is a comprehensive system of validated test procedures for information security. Security is only one of  components that should be checked as part of the certification process of the entire cloud chain. In this case the specification of the contract service level (SLA) is of the same importance as the contracted requirements for the  data protection level  Since cloud services providers operate their services to a greater number of customers, it is necessary to check all the requirements of the testing schemes across the entire supply chain. Even if the platform Software as a Service (SaaS) provider is certified ISO 27001, this does not provide a relevant picture of the overall level of  cloud services quality and systems operated by the provider. The overall security is to a great extent influenced by security level of integrated and operated customer platforms as well as security of infrastructure providers.

The selection of the most appropriate certification scheme which will allow objective assessment  and evaluation   of cloud service can be based on following principles:

  • When auditing, the assessed service should be considered in the direct connection with the legal body providing the service
  • cloud services audit should be carried out across the entire supply chain
  • Key elements of the audit should be security, privacy and compliance
  • Absolute transparency of all participants involved in the given cloud service operation is the prerequisite for security and privacy guarantee
  • the scope of the audit itself should remain the same due to the potential comparability throughout the selection process