The Assessment Procedure follows best practices to guarantee a robust and credible validation of adherent services.
Any adherent Cloud Service which is declared and published on the EU Cloud CoC website must be fully compliant with the provisions of the EU Cloud CoC. The Monitoring Body checks compliance by one of the following:
An initial assessment
Annual, recurring assessments
Ad-hoc assessments, whenever the Monitoring Body considers those reasonable
Summary
The Initial Assessment verifies that Cloud Service Providers are compliant with the provisions of the EU Cloud CoC. The EU Cloud CoC has translated its provisions into defined controls. Controls are completed by individual control guidance.
Cloud Service Providers are expected to indicate clearly which cloud service is to be declared adherent. For each adherent service, Cloud Service Providers have to provide the Monitoring Body with both a detailed Cloud Service Agreement that covers such services and an explanation how and why the provisions and/or controls of the EU Cloud CoC are complied with. This explanation shall be on a control-by-control basis.
The Monitoring Body will assess the information provided by each Cloud Service Provider. For each service that is being declared adherent, the Monitoring Body will confirm that the information provided is complete and relevant. It will also request additional documentation and samples which underpin the effective implementation of the measures mentioned within the explanation. An in-depth assessment e.g. by taking random samples will be used to determine whether the service complies – an appropriate percentage of the controls of the EU Cloud CoC will be used for this purpose, based on the type of service. Only if the provided explanation and supporting documentation are sufficient, will the Monitoring Body be able to officially verify compliance so that declared services will be listed in the Public Register.
How / When is the Initial Assessment triggered?
The Initial Assessment is triggered whenever a Cloud Service Provider declares its service(s) adherent to the EU Cloud CoC. It is the first (initial) verification. To be listed in the Public Register, it is mandatory to successfully pass the validation performed by the Monitoring Body.
Summary
Each Cloud Service will be subject to robust validation performed by the Monitoring Body. The Monitoring Body will determine - depending on the Cloud Service and its Technical & Organisational Measures and Contractual framework - the most relevant controls of the EU Cloud CoC to prioritize a related, detailed verification of compliance. Additionally, the Monitoring Body will take randomized samples of controls to perform an in-depth verification. The Monitoring Body shall over the appropriate timeframe, validate each control of the EU Cloud CoC in recurring assessments.
How / When is the Recurring Assessment triggered?
The Recurring Assessment is triggered annually. To continue being listed in the Public Register as current and valid it is mandatory to pass the revalidation performed by the Monitoring Body at least every 12 months.
Summary
Ad-hoc Assessments will differ depending on the circumstances through which such an assessment is triggered. Each Ad-Hoc Assessment will need to clarify any questions or alleviate concerns to the Monitoring Body as to whether the respective Cloud Service is (still) compliant with the EU Cloud CoC. Actions taken by the Monitoring Body may vary from simple interviews and request for documentation to a verification at the Cloud Service Providers premises.
How / When is the Ad-Hoc Assessment triggered?
An Ad-Hoc Assessment can be triggered in a number of cases. Whenever the Monitoring Body becomes aware of facts that raise concerns about a Cloud Service's compliance with the EU Cloud CoC, it is mandatory to successfully pass the ad-hoc validation performed by the Monitoring Body to keep being listed in the Public Register as current and verified.
Cloud Service Provider significantly updates its service so that prior assessments can no longer be applied
Adverse media reports - both directly affecting a certain service or related to a kind of service
Complaints - either by Customers or filed anonymously
What to expect if being assessed
The assessment follows dedicated procedures and uses templates. Both shall guarantee constant high quality and comparability.
To ensure traceability and accountability - related to both CSPs towards the Monitoring Body and the Monitoring Body towards supervisory authorities - information relevant for the assessment and its administration will be exchanged supported by a ticket system. This also enhances security of potentially confidential information as such information does not need to be exchanged by email.
Different to other mechanisms it is important to note that It is not the Monitoring Body that will be investigating for and determining relevant and applicable information. It is the CSP that needs to provide satisfactory responses that enables the Monitoring Body to make itself a convincing picture of your Cloud Services and related measures implemented.
CSPs will have to convincingly explain how the requirements of the Code are met. The Monitoring Body will refer to questionnaires. First set of questions is a derivative of the Controls Catalogue. Depending on the information provided there will be follow-up questions or requests; questions are mostly related to better understand the actual measures; requests are mostly related to further evidence and samples. In case provided information leave doubts of a CSPs compliance requests may also be related to particular remedies and or confirmations.
* Please note: this is a sample. The questionnaire template is subject to constant improvement to ease understanding and completion by CSPs. In case you declare any services adherent, you will have to complete the template as being provided during the assessment by the Monitoring Body
Different Levels of Compliance
Remember, the EU Cloud CoC provides for different Levels of Compliance. Whilst the material requirements do not differ, there are different requirements on the formalities that must be met. You may learn more general information at the dedicated page. If you are interested in reaching Compliance Level 3, you may also be interested in reading the dedicated guidelines.