In 2012 we started a certification process. We noticed our customers were placing increasingly important data in our cloud. Certification plays an important role in this development by providing our customers with even more certainty regarding the quality of or services.
We decided to aim for the security standards ISO 27001 and NEN 7510 and an own set of strict controls, the CloudControls that covers the cloud specific risks. Over the last few months we have been audited on these three control sets and this week international risk manager DNV provided a positive advice to the UKAS committee. We expect to receive this certification during the month of March.
ISO 27001 and NEN 7510
The most well known IT standard in Europe is the ISO 27001, this is an international IT security standard that consists of 133 controls. Parties that are to be certified can choose which controls are applicable to them. The number of selected controls has a lot of influence on trust impact of the certification. We chose to make all controls applicable.
For the medical sector we decided to obtain a so-called NEN 7510 certification. This is a strengthened version of the ISO 27001 that features controls pointed at the protection of medical data.
Besides the security risks that are controlled by the ISO 27001 and NEN 7510 outsourcing to the cloud features other factors causing uncertainty. Especially the 'Outsourcing risks' are important, these are risks that are introduced because you obtain a part of your IT infrastructure from an external party. Questions that can be asked are: What will the cloud provider do when a foreign government wants to seize your data? What are the guarantees surrounding the provision of information regarding incidents or the fulfillment of the agreed SLA?
An other type of uncertainties are "multi-tennancy risks', these are the risks that are related to the sharing of infrastructure with other customers. An example of such a risk is when a single customer has the possibility to use up all available resources.
At the moment there is no standard that covers the above factors and this is why we have developed the CloudControls together with KPMG and some others. This is a set of 38 controls that cover outsourcing risks and 5 contols that regulate multi-tennacy risks.