Cloud Security Alliance and ISO/IEC co-develop security standards
By Asia Cloud Forum staff 21-Apr-2011
The Cloud Security Alliance (CSA) today announced to develop cloud security and privacy standards under ISO/IEC.
ISO/IEC is short for International Organization for Standardization/International Electrotechnical Commission.
The CSA has established a Category C liaison relationship with ISO/IEC's Joint Technical Committee 1/Sub Committee 27 (JTC 1/SC 27). Category C liaisons are organizations which make an effective technical contribution and participate actively in the working groups (WG) under SC 27.
ISO/IEC JTC 1/SC 27 has started to develop of a series of standards that will address the security and privacy issues of cloud computing services. This development is being carried out in collaboration with various standardization partners including ITU-T and ISO/IEC JTC 1/SC 38 together with CSA.
"This new cooperation with the CSA is expected to facilitate an important communication channel for the promotion of cloud computing security standards amongst the information security community," said Dr. Walter Fumy, chairman of Sub Committee 27.
2 collaboration projects
The Cloud Security Alliance will initially collaborate on two projects with the SC 27:
- A new work item proposal for cloud security, reinforcing previous work done on the Code of Practice for Information Security Management (ISMS) found in the ISO/IEC 27002 International Standard. The aim is to provide guidelines on information security controls for the use of cloud computing services based on ISMS security controls.
- Information security for supplier relationships part 1. This is a new part under the multi-part standard, ISO/IEC 27036.
"By working closely with ISO in the highly dynamic cloud computing environment, the industry can have confidence that CSA guidance will be enduring, and that they can align with it now," said Dave Cullinane, board chairman, CSA.
Dr. Meng-Chow Kang, Convenor WG 4 under SC 27, stated, "The step towards standardization that CSA is taking is both strategic and critical. Strategic in that it could leverage standards to provide the required baselines to improve security and interoperability in cloud services. Critical in that this could help pave a way towards better security assurance of cloud services, a common concern of cloud users."
"The Security & Privacy Standards Technical Committee (SPSTC) under the Singapore IT Standards Committee (ITSC) recognizes the importance of having international standards in the area of cloud computing. In particular, there is a strong need to address the concerns of cloud security from both service provider and end-user perspectives," said Kin-Chong Chan, chairman of the SPSTC, ITSC Singapore.