Cloud Service Provider (CSP) Security Standard
The Cloud Service Provider (CSP) Security Standard produced by Dubai Electronic Security Center (DESC) sets out requirements and guidance for CSPs and those organizations using any cloud services.
Compliance with this standard is mandatory for all CSPs wishing to offer cloud services for Dubai government and semi government entities. CSPs can achieve certification against this standard to demonstrate this compliance, following the well-known international certification scheme applied for ISO/IEC 27001.
The CSP Security Standard is based on the following international standards:
- ISO/IEC 27001:2013
- ISO/IEC 27002:2013
- ISO/IEC 27017:2015
- ISR:2017 v.02
- CSA Cloud Controls Matrix 3.0.1
Description of the Certification Process
Throughout the development of the CSP Security Standard, strong alignment with the existing international standards has been sought to make the certification process as easy as possible, and to allow the use of the international accreditation/certification scheme for ISO/IEC 27001.
Basis of the certification process is the acknowledgement of any existing certifications, without further audits for these existing certificates.
The following picture illustrates the certification process:
In case of a CSP using one or more co-located third party data centres, the certification process shall ensure that this arrangement is sufficiently secure.
Possibilities for such checks can be:
- Inclusion of the data centre in the scope of existing or new certificates against the aforementioned three standards.
- Assessment of the third-party controls, including the assessment of risks related to third parties, that are applied by the CSP to ensure that adequate security is in place.
The certificates issues following this process are following the usual process for management system certification applied by accredited certification bodies. This means that there will be yearly surveillance audits, where possible, taking place on site, and every three years a re-certification audit occurs.
Data Center (DC) Security Standard
The Data Center (DC) Security Standard produced by Dubai Electronic Security Center (DESC) sets out requirements and guidance for DCs and those organizations using any data centre services.
Security Operations Centre (SOC) Security Standard
The Security Operations Centre (SOC) Security Standard produced by Dubai Electronic Security Center (DESC) sets out requirements and guidance for SOCs and those organizations signing any SOC services. Compliance with this standard is mandatory for all SOC providers wishing to offer SOC services for Dubai government and semi government entities. It can be applied for in-house or outsourced SOC service provision.