Cloud Industry Forum Code of Practice

Part 1 - General information
Cloud Industry Forum Code of Practice
CIF CoP
Cloud Industry Forum

Cloud Industry Forum Code of Practice
The Cloud Industry Forum has set up a governance board to be responsible for the stewardship of the Code of Practice, and full details of the board composition and committees can be found on the CIF website. This operates independently of the CIF Management Board of the not-­for-­profit member body,and includes representatives from outside CIF membership,including end user representatives,industry advisors and IT legal practices to ensure a balanced and transparent approach to governance. The Code Governance of Practice Board is chaired by an elected representative from the governance board members, and is responsible inter alia for the following: ■ Reviewing the requirements of the Code of Practice on an annual basis and approving any changes ■ Identifying the principal risks of the Code of Practice CIF CoP operations and scope and overseeing the implementation of appropriate risk assessment systems to manage these risks. ■ Monitoring participant appeals, third party complaints and operational standards and consistency associated to the operation of the CIF Code of Practice
an organisation, one or more cloud services

Cloud Industry Forum Code of Practice
Part 2 - Underlying information security standard or best practices
CIF Code of Practice
Cloud Industry Forum
other (describe briefly)
A. Transparency: Information for Public Disclosure and information for contracting disclosure B. Capability: Documented management systems are required C. Accountability: Accountability for Compliance with the Code and for Behaviour with Customers
Facilities (hardware, cooling, etc), Organization (processes, policies)
public and free
yes (description below)
Yes, for capability requirements. The following standards are recognized and accepted as part of an organization’s application: ISO/IEC 27001 (IT Security Management) BS 25999 (Business Continuity) ISO/IEC 20000-1 (Service Management) ISO 9001 (Quality Management) ISO 14001 (Environmental Management)
The specific areas for which documented management systems are required for the Code are:- B.1 Information Security Management (incl. Data Protection) B.2 Service Continuity Management B.3 Service Level Management B.4 Supplier Management B.5 Software License Management (incl. License Compliance) B.6 Complaint Handling B.7 Environmental Impact Management 1. Written Policies: These do not necessarily have to be extensive but should cover how/what the organization aims to achieve from a capability area. However the policies have to be sufficient to support the objectives of the company. 2. Written Procedures: These may include work instructions, flow charts, service/ operational level agreements; third party contracts; workflows built into management applications etc. 3. Specific Individuals assigned with relevant responsibilities: These can be evidenced via organization charts, person specifications, job descriptions, RACI Responsibilities for these areas etc. 4. Appropriate training and awareness programs: These may take the form of training plans or communications to others for awareness e.g. meeting minutes, internal memos etc. Permitted Alternative Evidence ISO/IEC 27001 certificate plus scoping statement BS 25999 certificate plus scoping statement ISO/IEC 20000-1 certificate plus scoping statement ISO 9001 certificate plus scoping statement ISO 14001 certificate plus scoping statement CIF Code of Practice (CoP) self-certified partner certification plus scoping statement
Part 3 - Assessments and certification of compliance
The assessment stage covers a detailed self-assessment of internal processes and documentation, together with external public-facing information sources to ensure compliance with the requirements of the Code of Practice. Organizations wanting to claim certification then complete a questionnaire on the self-certification website. They submit this together with supporting auditable evidence to APMG where it is reviewed by an assessor before granting authorization to use the certification mark. After gaining recognition that they comply with the Code the company conducts an annual self-certification and confirms the successful results of this assessment to APMG in order to receive authorization to continue to use the certification mark. As CIF’s independent certification partner, APMG does not provide any commercial Cloud services so has no conflict of interest thereby protecting the integrity and confidentiality of the information provided as part of the process. For a fuller description of the assessment and certification processes see the 'Executive Briefing' http://cloudindustryforum.org/downloads/CIF%20CoP%20Document%201_An%20Executive%20Briefing_(1.0).pdf and 'Conducting the Self-Certification' http://cloudindustryforum.org/downloads/CIF%20CoP%20Document%202_Conducting%20the%20Self-Certification_(1.0).pdf
APMG
APMG
other (describe briefly)
Audits are carried out by APMG who are independent of the Cloud service industry and therefore are impartial. APMG are accredited by the United Kingdom Accreditation Service (UKAS) and can therefore demonstrate competence, impartiality and performance capability of their assessment processes to internationally recognized standards. The CIF operate a compliance committee to consider complaints and decide on organizations validity to self-certify against the Code of Practice.
yes (link below)
no
The scheme works equally well for SME CSPs as for large CSPs, but the level of assurance is appropriate to the services being certified regardless of size.
yes - provide a link to a self-assessment form
no
yes - provide a link to an example
yes - provide a link to an example
yes (description below)
The certification framework would be updated following changing technology.
yes (description below)
Yes, Certification lasts one year.
Part 4 - Current adoption and usage
The CIF Code of Practice has been in operation for two years. It has proven to be particularly useful for SMEs because (1) It is practical for SMEs to achieve; and (2) it provides SMEs with the additional credibility and visibility they need to compete in a crowded market.
16
11 are publicly declared as undergoing certification
global
global
CIF is following the UK Information Commissioner’s Office proposal to establish a Privacy Seal or Trust Mark scheme for accrediting on-line service providers with information security practices. This will be delivered through demonstrating compliance with endorsed industry codes of practice. This requires development of more explicit guidance to meet the requirements. The extension of the CoP to meet the scheme criteria would be valuable for both customers of CSPs and the supply community.
Part 5 - Security objectives
Provisions for Information Security
Description:

Are there provisions for information security in place, including measures and policies.

References:

A.2.6

Capability
Description:

The cloud provider has set processes for the assessment and treatment of information security risks tailored to the needs of the organization. Is the cloud service provider ISO/IEC 27001 certified? The code of practice recognizes this certification.

References:

B

Information security management responsibilities
Description:

Are there specific individuals assigned with relevant responsibilities for information security management (including data protection).

References:

B

Service Dependencies
Description:

Are there provisions for service dependencies and are any sub-contracting or co-location relationships transparent to customers. This includes the implications of any service dependencies for service levels, compliance with data protection requirements and the continuity of operations.

References:

A.2.10

Security Training
Description:

Is there sufficient training and awareness programs for security management (including data protection) for staff. These may take the form of training plans or communications to others for awareness.

References:

B

Personnel Capabilities
Description:

Is there sufficient training and awareness programs for personnel.

References:

B

Environmental Impact Management
Description:

The cloud provider has a quality management system that is influenced by its organizational environment, changes in the environment and the risks associated with that environment. Is the cloud service provider ISO 9001 certified? The code of practice recognises this certification.

References:

B.7

Access Control
Description:

Is there sufficient policies and measures for access to cloud resources. The cloud provider should have written policies and specific individuals assigned with relevant responsibilities.

References:

B.1

Service Continuity management
Description:

Are there documented management systems with policies, procedures, specific individuals assigned with relevant responsibilities and appropriate training for service continuity management.

References:

B.2

Documented management systems
Description:

Are there written policies, procedures, responsibilities and appropriate training programs for information security, service continuity, service level management, supplier management, license management, complaint handling and environmental impact management.

References:

B

Compliance
Description:

Is the cloud service provider committed to any code of practices and other certifications? Is the cloud service provider ISO 9001 certified? The cloud service provider should have a quality management system where the organization can demonstrate its ability to consistently meets statutory and regulatory requirements.

References:

A.1.7 and A.1.9

Security management
Description:

Are there documented management systems that include information security management and data protection. This should include written policies and procedures and details on how staff are trained on these procedures.

References:

B.1

Customer Migration Paths
Description:

Are provisions in place for customer migration paths at execution and termination. Cloud service providers should have the ability to retrieve data or transfer data in the event of a change in services or cease of business.

References:

A.2.3 and A.2.4