Quality Assurance and Compliance Specialist Nicola Brady details the best way to approach Cloud Service Providers, by taking their standards and certifications into account, but also taking responsibility as a subscriber to ensure that they meet requirements.
Cloud Service Providers (CSPs) more often than not hold a myriad of standards and certifications purporting to make them a better option than their competitors. The CSP may be certified to one or more quality standards, including ISO 27001(Managing Information Risk), ISO 9001(quality management of business procedures), COBIT (Control Objectives for IT)or SSEA 16(Controls over security, availability, and confidentiality). While the attainment of these standards and certifications goes a long way to inspiring confidence in a prospective subscriber, they cannot-and should not -replace due diligence on the part of the prospective subscriber in establishing whether the cloud service provider will be able to deliver a service that meets their specific requirements.
But surely these standards and certifications count for something?
Absolutely! By achieving and maintaining these standards or certifications, the CSPs must have efficient and effective management and business practices, processes and controls in place. This can provide assurances to the prospective subscriber, as well as inspire confidence in the ability of the CSP to deliver and meet the subscriber’s requirements. Any standards and certifications held by the CSP may also be leveraged, to an extent, to satisfy the subscribers requirements. However, they cannot replace the mandatory requirements of the subscriber, particularly where the subscriber is a regulated entity, e.g. a Life Science Company. The regulated entity must meet specific regulations, including GMP regulations. The standards and certifications held by the CSP will not satisfy the GMP regulations.
So, what should the subscriber do?
It is not up to the CSP to meet the prospective subscriber’s regulatory requirements. No, it is the subscriber’s responsibility to perform a thorough evaluation of the CSP to determine if their processes and controls stand up to scrutiny. Once the CSP has been appropriately vetted and determined to be suitable for the service delivery required, clear responsibilities and accountabilities must be established via a comprehensive contract. At the end of the day,no standard or certification relieves the potential subscriber of the responsibility to meet the requirements for the regulated industry in which they operate.