2014 is going to be a year of change. Two of the key frameworks for cloud service providers (CSP), ISO 27001 and the Trust Services Principles, have new versions out in the wild now and will become the de facto versions later this year. The good news is that the new versions more easily enable CSPs to align various compliance frameworks and move closer to the Holy Grail of compliance; test once, comply many times. We are incorporating these new versions into our controls DNA now, not only so we are not scrambling later this year, but also so we can take advantage of these streamlining opportunities.
But wait there is more, on the privacy front, there are many changes in the 2014 pipeline that could have significant impacts. The biggest of which is the EU Data Protection Reform, which will have a definite impact on US entities that handle EU data. The extent of these changes is not known yet, but we have been working on steps to prepare, including the recent launch of our EU data residency option.
All these changes translate to the need for users leveraging cloud based services to get more clarity from their CSPs on what that ‘cloud’ symbol on their service diagrams really stand for and how third party enforced frameworks fit into the picture. As standards and regulatory needs change, you should have candid conversations with your CSPs on how they are managing these.