Cloud Computing Certification - CCSL and CCSM

Welcome to ENISA's Cloud Certification page. This page contains links to cloud certification documents and tools developed under the European Cloud Strategy. The documents and tools on this page have been developed by ENISA, in tight collaboration with the European Commission and the private sector (see below).

What is a cloud certification scheme?

Before buying a cloud service, customers want to know if the service is secure and reliable. But cloud computing services are complex and built up from many different ICT components (cables, large data centers, software, etc), so it is hard for individual customers to check all the technical details by themselves. Cloud providers have many customers (this is the main idea of cloud computing) so if all customers would check their security requirements separately, then this would mean double work. If each customer would want to do an on-site audit, for example, there would be long cues at the gates of data centers. Now, the idea of a certification scheme is to check one basic set of security requirements, once for all customers. In this way certification can simplify the procurement of cloud services by customers. Note that certification schemes do not replace the need for customers to do due-diligence when procuring, rather certification is a way to simplify this process.

We refer the interested reader to an ENISA paper, published in 2013, which gives an overview of a range of different information security certification schemes, used in different sectors.

CCSL - the Cloud Certification Schemes List

CCSL-logo

CCSL - the Cloud Certification Schemes List - gives an overview of different existing certification schemes which could be relevant for cloud computing customers. CCSL also shows which are the main characteristics of each certification scheme. For example, CCSL answers questions like "which are the underlying standards?", "who issues the certifications", "is the cloud service provider audited?", "who audits?". CCSL provides links and references to each certification scheme for further reading.

Click on the different certification schemes below to view the characteristics of each scheme. In the future more certification schemes will be listed. The schemes are listed in alphabetical order.

CCSM - the Cloud Certification Schemes Metaframework

CCSM - the Cloud Certification Schemes Metaframework - is an extension of CCSL. It is a meta-framework of cloud certification schemes. The goal of the meta-framework is to provide a neutral high-level mapping from the customer's Network and Information Security requirements to security objectives in existing cloud certification schemes, which facilitates the use of existing certification schemes during procurement.

CCSM Framework document: The first version of this meta-framework was approved and adopted in November 2014, by the Cloud-SIG on Certification.

CCSM online procurement tool: Based on the metaframework we developed an online tool for customers to use during procurement. The online tool allows customers to choose a set of relevant security objectives, to see which of these security objectives are addressed by which cloud certification schemes (and also in more detail where each objective is addressed). The online tool also allows customers to create a number of custom forms and checklists for procurement as tools in their procurement process (for example as checklists for evaluating offers or as the basis for questionnaires).

As next steps, together with the certification scheme owners, we are now mapping more certification schemes to the meta-framework in an online tool. This tool will be available from January 2015, and aims to allow customers to work with the meta-framework, when they procure cloud services, to generate questionnaires, or procurement checklists.

Background of this work

In 2012 the EC issued a communication called “European strategy for Cloud computing – unleashing the potential of cloud computing in Europe”. One of the actions outlined in the strategy is to assist the development of EU-wide voluntary certification schemes make a list of such schemes. In the strategy ENISA is asked to support this work. The tools and documents on this page have been developed by ENISA, in collaboration with the European Commission and the Cloud Selected Industry Group on Certification (aka C-SIG Certification). The creation of a list of certification schemes is explicitly mentioned as a key action in the European Cloud Strategy. Read more about the background of this work in ENISA's paper on Certification in the EU cloud strategy.

Why these schemes are listed and not others?

The Selected Industry Group on Certification, derived a set of high-level principles and also a preliminary list of certification schemes. The governance document that explains in detail the procedure followed and the assessment principles can be found here.

Feedback or comments?If you would like to give us feedback or comments on this list of schemes, or about a specific scheme on the list, please send a message to Cloud.Security@enisa.europa.eu.

Something missing or want to contribute to this work?

If you would like to suggest another certification scheme to be added to this list, or if you would like to join this work and help improve this list, please send a message to Cloud.Security@enisa.europa.eu

For members of C-SIG Certification only:

First login here
To access the CCSL tool, navigate here.
The manual for CCSL can be found here.
To discuss errors, bugs and changes, use the issue tracker.
If you have problems logging in, if you encounter bugs, or if you forgot you password please send a message to Cloud.Security@enisa.europa.eu