Welcome to ENISA's Cloud Certification page. This page contains links to cloud certification documents and tools developed under the European Cloud Strategy. The documents and tools on this page have been developed by ENISA, in tight collaboration with the European Commission and the private sector (see below).
What is a cloud certification scheme?
Before buying a cloud service, customers want to know if the service is secure and reliable. But cloud computing services are complex and built up from many different ICT components (cables, large data centers, software, etc), so it is hard for individual customers to check all the technical details by themselves. Cloud providers have many customers (this is the main idea of cloud computing) so if all customers would check their security requirements separately, then this would mean double work. If each customer would want to do an on-site audit, for example, there would be long cues at the gates of data centers. Now, the idea of a certification scheme is to check one basic set of security requirements, once for all customers. In this way certification can simplify the procurement of cloud services by customers. Note that certification schemes do not replace the need for customers to do due-diligence when procuring, rather certification is a way to simplify this process.
We refer the interested reader to an ENISA paper, published in 2013, which gives an overview of a range of different information security certification schemes, used in different sectors.
CCSL - the Cloud Certification Schemes List
CCSL - the Cloud Certification Schemes List - gives an overview of different existing certification schemes which could be relevant for cloud computing customers. CCSL also shows which are the main characteristics of each certification scheme. For example, CCSL answers questions like "which are the underlying standards?", "who issues the certifications", "is the cloud service provider audited?", "who audits?". CCSL provides links and references to each certification scheme for further reading.
Click on the different certification schemes below to view the characteristics of each scheme. In the future more certification schemes will be listed. The schemes are listed in alphabetical order.
As next steps, together with the certification scheme owners, we are now mapping more certification schemes to the meta-framework in an online tool. This tool will be available from January 2015, and aims to allow customers to work with the meta-framework, when they procure cloud services, to generate questionnaires, or procurement checklists.
Background of this work
In 2012 the EC issued a communication called “European strategy for Cloud computing – unleashing the potential of cloud computing in Europe”. One of the actions outlined in the strategy is to assist the development of EU-wide voluntary certification schemes make a list of such schemes. In the strategy ENISA is asked to support this work. The tools and documents on this page have been developed by ENISA, in collaboration with the European Commission and the Cloud Selected Industry Group on Certification (aka C-SIG Certification). The creation of a list of certification schemes is explicitly mentioned as a key action in the European Cloud Strategy. Read more about the background of this work in ENISA's paper on Certification in the EU cloud strategy.
Why these schemes are listed and not others?
The Selected Industry Group on Certification, derived a set of high-level principles and also a preliminary list of certification schemes. The governance document that explains in detail the procedure followed and the assessment principles can be found .
Feedback or comments?If you would like to give us feedback or comments on this list of schemes, or about a specific scheme on the list, please send a message to Cloud.Security@enisa.europa.eu.
Something missing or want to contribute to this work?
If you would like to suggest another certification scheme to be added to this list, or if you would like to join this work and help improve this list, please send a message to Cloud.Security@enisa.europa.eu