Cloud Security Alliance Announces Key Initiative in Development of Cloud Security Standards in Partnership with ISO/IEC
CSA Establishes Category C Liaison Relationship with ISO/IEC JTC 1/SC 27
London, ENGLAND – #CSASummit at #InfosecUK– April 20, 2011 – At the CSA Summit at Infosecurity Europe, the Cloud Security Alliance (CSA) announced that it will have a key role in the development of cloud security and privacy standards under ISO/IEC (International Organization for Standardization/International Electrotechnical Commission). The CSA has established a Category C liaison relationship with ISO/IEC’s Joint Technical Committee 1/Sub Committee 27 (JTC 1/SC 27), with Mr. Aloysius Cheang, CSA’s Asia Pacific Strategy Advisor and co-editor of ISO/IEC 27032 “Guidelines for Cybersecurity” International Standard appointed as the Liaison Officer between the CSA and ISO/IEC JTC 1/SC 27. Category C liaisons are organizations which make an effective technical contribution and participate actively in the working groups (WG) under SC 27.
Dr. Walter Fumy, SC 27 Chairman, said, “The security and privacy of cloud computing services are an ever-growing concern to users and consumers of these services. ISO/IEC JTC 1/SC 27 is now embarking on the development of a series of standards that will address the security and privacy issues of cloud computing services. This development is being carried out in collaboration with various standardization partners including ITU-T and ISO/IEC JTC 1/SC 38 together with CSA. This new cooperation with the CSA adds significant value to this work of ISO/IEC JTC 1/SC 27 as it facilitates an important communication channel for the promotion of cloud computing security standards amongst the information security community.”
The Cloud Security Alliance will initially collaborate on two projects with the SC 27:
- A new work item proposal for cloud security, reinforcing previous work done on the Code of Practice for Information Security Management (ISMS) found in the ISO/IEC 27002 International Standard. The aim is to provide guidelines on information security controls for the use of cloud computing services based on ISMS security controls. This new work item on cloud security will be co-edited by Dr. Marlin Pohlman, CSA’s Global Strategy Director, Co-Chair Cloud Controls Matrix, Consensus Assessment and Cloud Audit for the CSA, and Chief Governance Officer of EMC.
- Information security for supplier relationships part 1. This is a new part under the multi-part standard, ISO/IEC 27036, and it will be co-edited by Ms. Becky Swain, Co-Founder and Co-Chair, CSA Cloud Controls Matrix, CSA Silicon Valley Chapter Board Member.
“By working closely with ISO in the highly dynamic cloud computing environment, the industry can have confidence that CSA guidance will be enduring, and that they can align with it now,” said CSA chairman of the board Dave Cullinane.
Remarked Prof. Edward Humphreys, Convenor WG 1 under SC 27, “It is the expectation of ISO/IEC JTC 1/SC 27 that the outreach of CSA to the cloud computing world of service providers, corporate vendors, industry groups and associations, as well as individual users, will complement the work of ISO/IEC JTC 1/SC 27 and its other standardization partners, and enable a flow of value-added business and user input to the development of ISO/IEC JTC 1/SC 27 cloud computing security and privacy standards.”
Dr. Meng-Chow Kang, Convenor WG 4 under SC 27, stated, “The step towards standardization that CSA is taking is both strategic and critical. Strategic in that it could leverage standards to provide the required baselines to improve security and interoperability in cloud services. Critical in that this could help pave a way towards better security assurance of cloud services, a common concern of cloud users. WG 4, whose focus includes ICT services related security standards, is pleased with the new collaborative work with CSA in this regard.”
Commented Prof. Dr. Kai Rannenberg, Convenor WG 5 under SC 27, “Given the ever rising importance of privacy and identity management for cloud computing and the advantages of an early integration of these topics WG 5 is pleased to collaborate with the Cloud Security Alliance through the new liaison. Informing both customers and end-users of such customers about any access or use of their personal information is an important task here, as is the clear and transparent delineation between the different service providers.”
Mr. Kin-Chong Chan, chairman of the SPSTC, ITSC Singapore, said, “The Security & Privacy Standards Technical Committee (SPSTC) under the Singapore IT Standards Committee (ITSC) recognizes the importance of having international standards in the area of cloud computing. In particular, there is a strong need to address the concerns of cloud security from both service provider and end-user perspectives. In this regard, we are pleased to bear witness to the establishment of the relationship between ISO/IEC JTC 1/SC 27 and CSA in Singapore where we played host for the 2011 Spring meetings and plenary. We look forward to work with the ISO/IEC JTC 1/SC 27 and CSA to develop and establish relevant international standards in the areas of management systems, controls, audit and governance, in particular the development and promotion of appropriate standards to address security requirements for providers and consumers of cloud computing services.”
About Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
About ISO/IEC JTC 1 SC 27
ISO/IEC JTC 1/ SC 27 focuses on the development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as
- Security requirements capture methodology;
- Management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services;
- Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
- Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
- Security aspects of identity management, biometrics and privacy;
- Conformance assessment, accreditation and auditing requirements in the area of information security;
- Security evaluation criteria and methodology.
SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas.