Compliance to standards can be exhibited in several ways. Level of assurance differs in objectivity and continuity in time scale while at the same time, level of visibility and transparency may also vary.
- Self-assessment where organisations would indicate their standard compliance status after carrying out an internal check and verification.
- Certification by 3rd party is usually undertaken by an independent auditing company also known as a certification body. Upon successful completion, a certificate is usually issued valid for a period of time (commonly 3 years) with requirements of periodic check, known as surveillance audit, normally done annually to ensure continual compliance.
- Compliance through continuous monitoring where automated tools are deployed to continuously monitor, near real-time, its fulfilment of compliance to standards. This is the highest level of achievable compliance to standards though it is difficult to comprehensively cover such near real-time monitor on all aspect of the requirements.
Other forms of demonstration of compliance to standards such as attestation by 3rd or 2nd party (e.g. consumers/buyers audit their service providers/suppliers) are also possible. Such demonstration of compliance may be exhibited by posting online its self-disclosure statement, certificate of compliance or summary display of real-time compliance status.
MTCS Certification Scheme
In conjunction with the Singapore Standard SS 584: 2020 Specification for multi-tiered cloud computing security, the MTCS Certification Scheme is developed to
- encourage adoption of sound risk management and security practices by CSPs through MTCS certification; and
- promote the adoption of MTCS standard.
Here are the key steps for CSPs to participate in the scheme.
- CSPs shall source and identify suitable ACCREDITED Certification Bodies (CBs) to undertake the certification (see enclosed list of participating CBs).
- CSPs shall work with the identified ACCREDITED CBs to prepare the following documents after having decided on the scope of certification:
- Statement on Applicability and Compensating Controls; and
- MTCS CSP Self-Disclosure (185.10KB).
- CSPs proceed to work with ACCREDITED CBs on the certification.
Upon successful certification, CSP may email a copy of ACCREDITED MTCS certificate and a duly completed disclosure form to firstname.lastname@example.org for listing on the IMDA website. Only ACCREDITED MTCS certificates will be listed.
Certification will be valid for 3 years with a yearly surveillance audit to be conducted.
MTCS Certified Cloud Services
- CSPs who provide MTCS-certified services and wish to have them listed here can submit e-copies of the following documents to email@example.com:
- Accredited MTCS Certificate
- CSP disclosure form (185.10KB) (duly completed and signed)
All enquiries regarding MTCS Certification can also be addressed to firstname.lastname@example.org.