Welcome to the Cloud Certification Schemes List (CCSL) - a list of different certification schemes which could be relevant for potential cloud computing customers. The creation of this list is explicitly mentioned as a key action in the European Cloud Strategy. This list was developed by ENISA in tight collaboration with the European Commission and the private sector (see below) .
What is a cloud certification scheme?
Before buying a cloud service, customers want to know if the service is secure and reliable. But cloud computing services are complex and built up from many different ICT components (cables, large data centers, software, et cetera), so it is hard for individual customers to check all the technical details by themselves. Cloud providers have many customers (this is the main idea of cloud computing) so if all customers would check their security requirements separately, then this would mean double work. If each customer would want to do an on-site audit, for example, there would be long cues at the gates of data centers. Now, the idea of a certification scheme is to check one basic set of security requirements, once for all customers. In this way certification can simplify the procurement of cloud services by customers. Note that certification schemes do not replace the need for customers to do due-dilligence before procuring - certification is one way to simplify the process.
We refer the interested reader to a paper ENISA published last year which give an overview of a range of information security certification schemes, used in different sectors.
How to use this list?
CCSL gives an overview of different existing certification schemes which could be relevant for cloud computing customers. CCSL also shows which are the main characteristics of each certification scheme. For example, CCSL answers questions like "which are the underlying standards?", "who issues the certifications", "is the cloud service provider audited?", "who audits?", et cetera. CCSL provides links and references to each certification schemes for further reading.
Cloud Certification schemes
Click on the icons of each certification scheme below, to view the characteristics of each scheme. In the future more certification schemes will be listed. The icons are shown in no particular order.
ISO 27001 Certification Open Certification Framework EuroCloud Star audit TUV Certified Cloud Service Security Rating Guide
Background of this work
In 2012 the EC issued a communication called “European strategy for Cloud computing – unleashing the power of cloud computing in Europe”. One of the actions outlined there is to assist the development of EU-wide voluntary certification schmes make a list of such schemes. In the strategy ENISA is asked to support this work. Taking up on this, ENISA developed this list, in tight collaboration with the European Commission and the Selected Industry Group on Certification, aka CERT SIG. The creation of this list is explicitly mentioned as a key action in the European Cloud Strategy. Read more about the background of this work in ENISA's paper on Certification in the EU cloud strategy.
Why these schemes are listed and not others?
The Selected Industry Group on Certification, derived a high-level principles and also a preliminary list of certification schemes (see page 7 of ENISA's paper on Certification in the EU cloud strategy). We started with a subset of this list and asked the relevant organizations to fill in information about their certification schemes.
Something missing or want to contribute to this work?
If you would like to suggest another certification scheme to be added to this list, or if you would like to join this work and help improve this list, please send a message to Cloud.Security@enisa.europa.eu
Feedback or comments?
If you would like to give us feedback or comments on this list of schemes, or about a specific scheme on the list, please send a message to Cloud.Security@enisa.europa.eu.
For members of the C-SIG on Certification
To access the CCSL tool, for making changes, and proposing new schemes, navigate here. If you need a manual, here is one. If you want to make comments or request changes to the listing please use the issue tracker. If you have problems logging in, or if you forgot you password please send a message to Cloud.Security@enisa.europa.eu