4.7.1 Certification as an Account

First, when an organisation obtains a certification to demonstrate compliance with a set of rules, whether they relate to security, privacy or governance in general, they are fully applying the notion of a proactive account (see Section 4.1).

With the notable exception of CSA STAR Self-Assessment, which is a self-certification, whereby all findings are published in a public repository, none of the certification schemes listed above requires the results of the evaluation to be made available to outside worlds (for customers and data subjects). Sometimes the results of the assessment are made available to interested parties upon request and based on a Non-Disclosure Agreement.

It should be noted that arguments against the disclosure of assessment results exist, e.g.:

• The documented account contains descriptions of security measures and processes that could provide information to adversaries.
• The documented account contains intellectual property or other confidential business data.

The result of this lack of visibility into audit results is that in many cases, certified companies will merely highlight that they hold a certification, and will not disclose details of the process. 

In most cases the certified company does not even state the scope of the certification, which results in customers not receiving any relevant information with regard to the actual value of the achieved certification. This is not possible under the CSA STAR Certification, where the publication of assessment’s scope is mandatory.

While this principle is valid for the reason stated above, it contradicts the principle of transparency that is central to accountability. There should be therefore a middle ground that distinguishes a “detailed proactive account” (which is only provided to the auditors), from a “public proactive account” (which is provided to all interested stakeholders). The example of the CSA STAR Registry^[57], which currently has reached 140 entries, shows that companies are willing to provide information describing on a high-level how they implement certain controls addressing risk, compliance and governance issues in cloud services. Therefore there is room for the notion of a “public proactive account” in certified cloud services.