Why is Cloud Security Certification Confusing?

Third-party audits and certifications provide assurance and promote trust regarding a cloud service provider’s approach to security and privacy. They are also a credible way to show compliance to standards and regulations. Unfortunately, though, the number of existing national, international and sectorial standards, laws and regulations has drastically increased in recent years, leading to increased complexity of the area of compliance. Just take a look at the number of schemes around. And that’s not the whole picture.
Such a proliferation of requirements has had the direct consequence of an increased cost of compliance for Cloud Service Providers (CSPs), which in some cases is reflected in an increased service price for the cloud customer.

Optimising the Compliance Process

The EU-SEC project has analysed the issue of this proliferation of cloud security standards and compliance schemes, and has observed that many security requirements and control objectives in different standards are largely overlapping.

As a consequence, the process of adhering to different standards, laws and regulations for CSPs is inefficient, with a lot of duplicated work that unduly increases costs and complexity.

The EU-SEC project has worked on addressing these issues by, for instance, identifying the common denominators between widely known standards and presenting them under a well-defined and comprehensive framework, namely the EU-SEC’s “Multi-Party Recognition Framework” (MPRF)

The Framework has been validated by 4 consortium members in a 12-month pilot scheme, the results of which have been used to improve the Framework. 

Benefits for Cloud Service Providers

  • Streamlines the compliance process
  • Reduces effort and resources needed to achieve multiple certifications
  • provides comparison of different schemes
  • Complements traditional auditing & certification methods
  • Gives a single source of information for internal staff

The benefits kick in from just 2 certificates. The CSP involved in the pilot scheme, which already has more than 10 compliance certificates, is working towards BSI C5 compliance. Thanks to MPRF, they have identified a potential reduction of 24 % of the requirements for this highly-prized European certification.

Being able to concentrate only on the gaps and non-conformities represents huge potential savings in terms of time and money for enterprises of all sizes.

Benefits for Certification bodies and Scheme Owners

The MPRF provides certification bodies and scheme/standard owners with:

  • Significant synergies connected to a single management system managing multiple aspects of organizational performance to meet the requirements of more than one standard/framework
  • By using a single system for documentation, governance system elements, and responsibilities for the ongoing management of compliance, regulatory, legal and information security obligation MPRF enables:
    • Identification of overlapping requirements
    • Leverage of efficiencies reducing complexity
    • Reduction of costs
    • Decrease of risk
    • Greater visibility and assurance provided to the organization

Scheme owners are encouraged to interact with the MPRF governance body to ensure Framework continues to reflect the state of the art in cloud certification. If you want to participate in or contribute to the scheme, get in touch

Benefits for Auditors

  • Competitive advantage for certification bodies
    • Addition to service portfolio
    • New business opportunities
    • Possible to offer more certifications with smaller costs compared to multiple full-scope audits for each standard.
    • Maximize auditor billable time
  • Less costs with smaller effort
    • Focus on delta between standards in audits
      • Audit process is more efficient when like controls and requirements are consolidated and checked
      • Required time and effort from auditor decreases
    • Audit process itself is the same so no steep learning curve for existing auditors

Auditors are already benefiting from the scheme and we welcome more input from the auditing field. Get in touch to find out if MPRF can help you.

This image has no alt text.
1.Candidate scheme is evaluated against principles and criteria and found non-/eligible for multiparty recognition; 2. Enables the comparison and recognition between different auditing standards; 3. Ensures continuous improvement, maintenance and future sustainability of the framework | @Fraunhofer FOKUS
This image has no alt text.
| @Fraunhofer FOKUS
This image has no alt text.
| @Fraunhofer FOKUS
This image has no alt text.
| @Fraunhofer FOKUS