BASED ON EUROPEAN QUALITYVALUES FOR WORLDWIDE USAGE

INTERNATIONAL PARTNER PROGRAMME BY EUROCLOUD EUROPE

EUROCLOUD STAR AUDIT

WHO WE AREEuroCloud Europe is an independent non-profit organisation with a network of national EuroCloud country organisations.

EuroCloud Europe facilitates growth of cloud based services and innovations across Europe and worldwide.

EuroCloud fields of activities are: Trust in Cloud, Research and Innovation, Start Up Encouragement, Standards and Interoperability, Legal Framework Harmonisation.

ECSA MISSIONECE is offering the certification scheme “EuroCloud Star Audit” (ECSA) in orderto establish trust in cloud services both on the customer and the user side.

The purpose of the ECSA and auditing Cloud Services is to provide anaccountable quality rating of Cloud Services.

ECSA VISION• To deliver a framework, assessments and a certificate that are meaningful

selection tools for customers who want to use trustworthy cloud services.

• To reduce the necessity to perform costly individual assessments.

• To provide a valuable instrument with a high level of transparency and guidance for customers and providers alike.

ECSA VALUES• A mature certification scheme (ECSA) especially designed to assess cloud

services. Assessment levels fitting to various usecases and not only suitable for large enterprises but also for a SME-type of cloud provider.

• Evaluation procedures to perform assessments against requirements that cover all participants of the supply chain of a cloud service.

• Transparency and Awareness – single place of publishing.

• A global eco-system of partners for various business models. Training for partners as well as customers of cloud services.

THE CHALLENGE It is a challenge to select the best cloud provider for your needs from among the many offering cloud services in the market.

The way these services are provided is often highly complex and unrelated to the location of user and provider. For example, to keep data sovereignty, it may be necessary to check whether the software service of a provider in the same country as the user still has certain facilities (such as the computing and storage capacity) abroad and is thus subject to special data protection and fiscal requirements.

The ECSA evaluates Cloud Services according to a set and published catalogue of criteria. The result of this audit process shows the respective level maturity and compliance of a service.

The certification procedure is based on best practices and provides answers to the main questions managers are likely to ask when looking for a suitable

cloud service provider. Unlike purely security or data protection audits, it covers the entire range of cloud service functions and validates compliance

with the requirements in clearly understandable terms.

ECSA IN DETAIL The EuroCloud Star Audit (ECSA) is a mature certification scheme, especially designed to assess cloud services.

EuroCloud evaluates a cloud service against the requirements of the ECSA audit scheme and covers all participants of the specific supply chain of a cloud service.

The ECSA audit has a non-negotiable mandatory bandwidth of all important areas of a cloud service:

Provider‘s profile

Contract and compliance including data privacy protection against local law

Security

Operations

Environment and technical infrastructure

Processes

Relevant parts of the applicatition and implementatition

Interoperability and data portability

ECSA IN DETAIL ECSA has a modular structure and offers three maturity levels. Similar to the well-known hotel classification, the cloud service is assigned “EuroCloud stars” from *** up to ***** . Therefore ECSA is not only suitable for large enterprises but can also be achieved by a SME-type of cloud provider.

If a cloud service matches the ECSA audit criteria the ECSA certificate is granted.

As long as there are no changes made within the cloud service profile and assessment areas, the certificate is valid for two years.

The ECSA certificate is a meaningful selection tool for customers who want to use trustworthy cloud services and it reduces the necessity to perform costly individual audits.

The EuroCloud Star Audit is a joint activity performed by the ECSA partners within an eco-system.

With the ECSA, EuroCloud Europe delivers a valuable instrument with a high level of transparency and guidance for customers and providers alike.

WHAT NEEDS TO BE ADDRESSED BY A CLOUD CERTIFICATION?

Cloud Specific Assessment

Security Assessment

Legal Compliance Assessment

Data Privacy Assessment

Common Scope - no negotiations

Complete Cloud Supply Chain covered

WHAT IS REALLY IMPORTANT?All controls of the certification scheme must be publicly available.

Strict separation between the work of the Certification authority and the certification business (audit, training or consulting organisations).

Full independence of certification authority. Free of influence from industry, members, sponsors, government organisations.

ECSA HISTORY

Initial development started in 2010

First audits in 2011 at a local country level

Further streamlining as part of the ENISA and EU Cloud Selecet Industry Group in 2013

Officially listed in ENISA Cloud Certification Schemes Listing (CCSL)

International promotion started in 2014

Additional tools for Self Assessment, Training and Qualification

Special marketing campaign for the buyer market and scheme integration into various market places

ECSA PROCESS FOR CLOUD SERVICE PROVIDERS

STEP 1

Make yourself familiar with the ECSA control requirements

Perform a self-assessment against the scheme in one of the three quality levels as a Trusted Cloud Service Provider

STEP 2

Register as an ECSA partner with your public report and enhance your visibility in marketplaces with ECSA partnership

Use the report as a quality statement for your lead generation

STEP 3

Find an ECSA-AAO (Accredited Audit Organisation)

Start the full audit and provide evidence of the Self Assessment statements

Prepare yourself to provide submissions like company registration, contracts, data privacy statements where applicable, security and data protection measures, data centre specific information (connectivity, cooling, electricity, area security, emergency plans,…), process maturity, interfaces, data portability and service plans.

Provide transparency about all sub services, subcontractor and data locations

Follow the recommendations of the auditors during remote and onsite inspection.

Apply for an ECSA certification for official registration

Use the certification as evidence for the transparency and effectiveness to be seen as a fully Trusted Cloud Service Provider by your customers Register as an ECSA partner with your public certification and enhance further on your visibility in marketplaces with ECSA partnership

STEP 4

Follow the guidelines and recommendations of the ECSA to keep the service with the highest reputation

ECSA PROCESS FOR CLOUD SERVICE CUSTOMERS

STEP 1

Make yourself familiar with the ECSA control requirements and match them with internal compliance criteria

Use marketplaces with ECSA support to find a trustworthy cloud service provider

STEP 2

Request appropriate evidence with the provision of at least an ECSA self- assessment or, even more preferable,a public ECSA certification report

STEP 3

Share the results of the internal vendor choice process and use the ECSA assessment tool for individual assessment and reporting