EuroCloud Best Practice Guidelines and Cloud Certification

EuroCloud is not a typical standardization body but is working on best practice guidelines in terms of quality insurance and developed an auditing schema which is applicable for the nature of Cloud Service provisioning. This work has started in Feb 2010, a long time before ENISA, BSI or CSA published reference material which is applicable for synchronization. We have promoted the ENISA papers as very valuable input to our members to get a better understanding about Risks especially from a customer point of view.

EuroCloud Germany and the linked association eco has long term experience in the area of auditing. The data center Star Audit is offered since 6 years and there are around 50 certified data center providers (

About the EuroCloud Star Audit SaaS/PaaS/IaaS we clearly express, that the scope set is based on a best practice approach. The first certification has been made in 2011 with early adopters and we are in touch with more than 120 CSPs to provide an understanding about the scope and effectiveness of the auditing scheme. The design is made to reflect the complexity of Cloud Service Provisioning in a sense of a combined supply chain of multiple services (e.g. IaaS plus SaaS). We have a modular structure to address the key areas:

  • Law and Compliance
  • Data security and data privacy
  • DC Infrastructure
  • Processes
  • Application and Interoperability

A certification is only available for a specified service, in conjunction with the provisioning entity as legal contract partner and the country of legal assessment. This is needed to allow for the different regulations per country. The key differentiator to ISO 27001 is the the the Star Audit has a common scope whereas ISO 27001 is not clear about its statement as the scope is negotiated between Auditors and Company. What we see is already that some CSPs are showing an ISO Certification which is bound to one entity in the supply chain and does not approve the whole service delivery. Beside this a majority of cloud consumers are SMEs (20,96 out of 21 million European companies). They do not have the resources for individual assessments and reviews of complex cert schemes.

Please find further explanations here:

Recorded Session for the slides:

The public web site about the Star Audit can be accessed via: