Compliance frameworks for cloud security providers across globe

Many organisations have moved some or all of their IT to the cloud, but it’s resulted in unexpected costs, fragmentation, and a need for more security staff to monitor data, mitigate advanced threats and meet regulatory & compliance requirements.

Until few years ago – the mission critical data of an organization will be within walls (data center) and organization is accountable to ensure that they meet the regulatory and compliance needs. Technology has evolved and now security leaders ‘trust’ cloud to secure their data & for mobility requirements. (see related post – Security considerations while migrating business applications to cloud infrastructure)

But – How are you evaluating the CSPs (Cloud security providers) adherence to compliance frameworks despite the business are not restricted to specific region in the global economy. (See related post – NIST released the draft NICE Cybersecurity Workforce Framework (NCWF))

In this article, you’ll understand the various compliance frameworks that cloud security provider should stay up-to-date with the evolving industry standards across geographies with more than 1000 controls. Below are the country specific compliance requirements

United States

• CJIS
• CSA CCM
• DISA
• FDA CFR Title 21 Part 11
• FEDRAMP
• FERPA
• FIPS 140-2
• FISMA
• HIPPA/HITECH
• HITRUST
• IRS 1075
• ISO/IEC 27001, 27018
• MARS-E
• NIST 800-171
• Section 508 VPATs
• SOC 1, 2

United Kingdom

• CSA CCM
• ENISA IAF
• EU Model Clauses
• ISO/IEC 27001, 27018
• NIST 800-171
• SOC 1, 2, 3
• UK G-Cloud

European Union

• CSA CCM
• ENISA IAF
• EU Model Clauses
• EU-U.S. Privacy Shield
• ISO/IEC 27001, 27018
• SOC 1, 2,
• GDPR

Spain

• CSA CCM
• ENISA IAF
• EU Model Clauses
• EU-U.S. Privacy Shield
• ISO/IEC 27001, 27018
• SOC 1, 2
• Spain ENS
• LOPD

China

• China GB 18030
• China MLPS
• China TRUCS

Japan

• CSA CCM
• CS Mark (Gold)
• FISC
• ISO/IEC 27001, 27018
• Japan My Number Act
• SOC 1, 2

Argentina

• Argentina PDPA
• CSA CCM
• IRAP (CCSL)
• ISO/IEC 27001, 27018
• SOC 1, 2

Australia

• CSA CCM
• IRAP (CCSL)
• ISO/IEC 27001, 27018
• SOC 1, 2

New Zealand

• CSA CCM
• ISO/IEC 27001, 27018
• NZCC Framework
• SOC 1, 2

Singapore

• CSA CCM
• ISO/IEC 27001, 27018
• MTCS
• SOC 1, 2

With enforcement of the EU’s General Data Protection Regulation (GDPR) is just over a year away in May, 2018,  Adoption of cloud applications across the EU continues at a rapid clip, and the global nature of leading cloud applications means that protecting personal data and achieving data residency can be difficult to achieve. (see related post – Security regulatory compliance for telecom operators)

Organization can’t simply give-away on adherence to regulatory compliance requirements. This is an ongoing engagement for the cloud security providers to ensure that they conduct periodic 3rd party audit to ensure that the solutions meet the compliance and enable trust with the customers.