Jump to Navigation

 

4.7 Certifications and Continuous Compliance

In addition to producing an account during the operational phase, the accountor can deliver a report to proactively demonstrate the effectiveness of the provided service. Important evidence to be included in the account/report are for instance the company policy and/or the binding corporate rules (BCR), that could be used by DPAs to verify how a certain organisation is dealing with data protection across all business processes. For example the DPA can verify whether the actual policy rules, terms and conditions are governed by law.

The reference to Certifications and Attestations that the organisation holds can be also included in the report. A certification is typically an assessment / audit conducted by a third party to verify that a specific product, service or process satisfies the requirements/controls included in standard of reference. From a high-level perspective a certification entails the following actions:

  1. Identification of the relevant certification or attestation scheme to used (ISO 27001, SOC 2, CSA STAR Certification, Common Criteria, etc.). The selection of the scheme depends of the objective of certification (does the company want to certify a product or service/process? Does the company want to satisfy specific sectorial requirements? Does the company need to follow an international standard or want to obey to a code of practice / conduct? etc.)
  2. Definition of the scope. The identification of the object of the certification, e.g. which process(es), which components, etc. A company can decide to certificate the overall organisation or just a specific process, units, or products. What is necessary though is that the scope is relevant.
  3. Identification of the controls that are relevant and applicable in the scope of the certification. In an ISO and CSA context this exercise is called definition of the "Statement of Applicability" (SoA). Often the SoA is defined based on the results of a risk analysis that identifies the potential security, governance or general compliance risks and the controls necessary to mitigate them.
  4. Audit the assessment of the controls, to verify that they have been implemented and that are able to mitigate to an acceptable level the risks to which the organization is exposed.
  5. Monitoring and periodically updating the whole process, potentially starting again from step 2.

These steps can be conducted internally by an organisation in the form of a self-certification. However a higher level of assurance is always obtained when the assessment of these steps is conducted by an independent third party (auditors).

Well-known certification schemes that relate to security and privacy include:

  • ISO 27001 [51], which certifies information system management practices.
  • PCI DSS [52], which focuses on the secure processing of bankcard data.
  • Service Organisation Control Reports [53] (SOC 1, 2 or 3), which is also about information system management.
  • CSA STAR Self Assessment [54], which is a self-assessment regarding best practice governance, risk and compliance.
  • CSA STAR Certification [55], which is a third-party assessment based on the CSA Cloud Control Matrix, ISO 27001 and ISO 2706.
  • EuroPriSe [56], which certifies compliance with data EU protection rules (limited to Directive 95/46/EC) for products and services.

Certification can be used to support the account as defined in A4Cloud in two ways.