166
For this reason, certification by recognised testing organisations will play an
increasingly important role for demonstrating compliance with auditing
obligations.
4.1
Certification of Cloud services with EuroCloud
So far, the development of standards for Cloud computing has primarily
been in the area of technical requirements and operational integration.
Currently, a number of Cloud IT certifications are being established. Basing
these certifications on existing, international certifications from ISO, IDW
and national test systems makes a lot of sense. However, it is hard to say
what exactly you would need to audit, according to a classic certification like
ISO 27001. Companies love to advertise with this certification and one
cannot deny that this is relevant proof of the provider's professionalism. But
with this certification, the scope to be audited must first be determined, and
this will not necessarily match the scope of your compliance requirements.
Similarly, the popular SSAE16/ISAAE 3420 certification (formerly SAS 70 II)
primarily audits the correct performance of transactions relevant to the
accounting processes.
65
For the first time, the EuroCloud organisation offers a Cloud certification
under the "EuroCloud Star Audit" name. The certification applies specifically
to the areas of IaaS, PaaS, and SaaS and includes clearly defined
requirements for measures in the area of controlling, that must be met to
various degrees, in order to be certified as a trusted Cloud providers.
A comprehensive expertise is necessary for qualitative testing of services in
terms of data security, technical operations and organisational workflows, in
order to confirm that the requirements of service level agreements are
being observed. For this reason, certificates are usually chosen that provide
a compact statement about security aspects and the reliability of the service
provider.
EuroCloud has developed a special seal of approval specifically for these
contractual, technical and organisational requirements; the certificate
confirms that the fundamental requirements for providing Cloud services
have been tested by schooled auditors. The catalogue of testing criteria has
been developed in close consultation with public authorities, research
65
An expanded version of this chapter can be found under