Maximum IT security is one of the most important aspects of cloud computing. There are various security certifications on the market. One of them is especially convincing. After all, several reasons speak for the fact that the German ISO 27001 certification based on IT baseline protection represents the gold standard.
Fact 1: BSI baseline protection is not ISO27001
‘ISO 27001 on the basis of IT baseline protection’ is not ‘ISO 27001’. It is much more than that. ISO 27001 specifies an information security management system (ISMS). However, unlike IT baseline – it covers only the management or process of such. In simple terms, it says that you do have a process of continuous control and improvement of your product. What it does not cover is any technical details of the solutions of the product at hand or its quality.
So, even if you have a poor-quality product, as long as you are improving it in a systematic manner, it is fine under ISO 27001.
In contrast, for a ISO 27001 on the basis of IT baseline protection certification you need to prove that your product conforms to a very strict and specific catalogue provided by the German BSI (Federal Office for Information Security). This catalogue of safeguards is roughly 4,400 pages of detailed technical material. The BSI-accredited auditor will go through your claims and make sure they are true. You can imagine how much more thorough this is and how much more effort it takes to be compliant. What’s more, BSI baseline protection is compatible with and includes ISO 27001 process/management.
Fact 2: A BSI certification doesn’t always mean your cloud is safe
The German BSI provides a catalogue of many modules that service providers can use for certification. For example, Global Access is certified for 74 modules, 3 of which are related to cloud services:
- B 1.17 Cloud Usage
- B 3.303 Cloud Storage
- B 5.23 Cloud Management
As far as we are aware, we are the only cloud service provider to be certified for these modules. It may be that a cloud service provider is BSI-certified for management and data center access, but not for cloud services.
The bottom line is this – the BSI badge is not enough. You need to ask and check which modules are included in a certification and if these modules cover services you plan to purchase.
Fact 3: C5 attestation from BSI is very different than IT baseline protection
There are several service providers who use a BSI badge and refer to their ‘C5 attestation’. It is important to understand that this is not the same as a certification according to IT baseline protection from the German BSI.
As mentioned before, if you wish to get BSI-certified according to ISO 27001 based on IT baseline protection, expect a visit from a serious guy in a suit who is accredited by the BSI and proficient in both data protection law and technology. This auditor will review all your claims and ensure that everything is both technically correct and conforms with the safeguards catalogue provided by the BSI.
On the other hand, the C5 attestation process is such that a cloud provider simply produces documents describing his or her safeguards. These documents must then be read and signed by a public accountant. You read that correctly, not by a BSI-accredited auditor (as is the case for IT baseline protection), rather by ANY public accountant. When the documents are signed by a public accountant, they are valid, and BSI does not provide any further audits or accreditation. This is why it’s called a ‘C5 attestation’ and not a ‘C5 certification’.
Fact 4: BSI is not BSI
BSI can sometimes refer to British Standards Institution, a UK-based certification company. The confusion may arise because the UK BSI offers certification for ISO27001, yet this is an ISO standard described above, not the German BSI standard. Whenever you see a cloud provider certification, make sure if it’s Bundesamt für Sicherheit in der Informationstechnik or British Standards Institution.
Fact 5: The German Federal Ministry of the Interior makes BSI baseline protection the gold standard for authorities
In the ‘Umsetzungsplan Bund 2017’ [Federal Implementation Plan 2017], the central guideline for information security in the national administration, the German Federal Ministry of the Interior defines all minimum requirements for information security on the basis of the IT baseline protection catalog – and makes the latter the gold standard, as it were. In the case of tenders by authorities or ministries, the BSI certification of service companies should be considered an appropriate criterion.
In principle, if essential or security-relevant IT services are to be outsourced (in particular cloud, network and infrastructure services), IT service providers must have an adequate and effective ISMS (information security management system) based on IT baseline protection of the BSI. In addition, the scope of the safety certificate must fully cover the service(s) that are to be provided!
Conclusion: A closer look at cloud security remains necessary
There is hardly any IT security certification that can really match the standards of the BSI baseline protection. Especially for companies with high security requirements (eg: banks, insurance companies, pharmaceutical industry, etc.) and public authorities, there is hardly any alternative to such a certificate in cloud computing.
When choosing a cloud provider with the BSI seal, however, it should not only be ensured that it really is a certification according to ISO 27001 based on IT baseline protection. It’s also about checking to see if all the outsourcing relevant business units have been certified.