On 22 November 2010 the Cloud Industry Forum (“CIF”) launched its Code of Practice in respect of cloud services following an extensive period of public consultation. CIF is an organisation which was established in 2009 with the aim of advocating the adoption and use of cloud based services by business and individuals.
CIF believes the market needs a credible and certifiable Code of Practice that “provides transparency of cloud services such that consumers can have clarity and confidence in their choice of provider”.
In its consultation paper for the Code of Practice CIF defines cloud computing using the definition in the ISO/IEC JTC 1 N9687 Report on Cloud Computing as follows:
Cloud computing provides the IT infrastructure and environment to develop/host/run services and applications, on demand, with pay-as-you-go pricing, as a service. It also provides resource and services to store data and run applications, in any devices, anytime, anywhere, as a service.
Why introduce a Code of Practice?
CIF states that its justification for the introduction of a Code of Practice includes the lack of transparency involved in services provided online; the emergence of new risks in cloud based services (such as data protection and continuity of operations); and rate of market adoption. CIF comments that the attractiveness of non capital pay-as-you-use services is significant and experts predict dramatic take-up over the next few years.
What are the terms of the Code of Practice?
The Code of Practice revolves around three central principles:
- Transparency: organisations must ensure transparency for specified types of information. Commercial terms in particular must be clear, including full disclosure of fully burdened pricing, contract periods, and renewal processes.
- Capability: organisations must have documented management systems and resources in place to deliver specified capabilities such as data protection and continuity of operations.
- Accountability: organisations shall be accountable for their operational practices and shall agree to binding complaint resolution procedures with customers for Code of Practice related practices and other complaints.
The Code of Practice will not compete with more specific standards such as SAS70 or ISO9001. CIF states that it will provide participants with a frame of reference on how to compare and contrast the role of the Code of Practice against other relevant standards.
How will my organisation comply with the Code of Practice?
An organisation will be certified as compliant with the Code of Practice through self-certification. Self-certified compliance will be achieved on the basis of self-assertion (i.e. a formal statement by the Board of Directors or equivalent body that the organisation intended to comply with the CIF Code of Practice). The organisation then must conduct self-certification procedures against the Code and make a filing in this regard with CIF. Upon acknowledgement of the filing the organisation will be entitled to use the CIF Code of Practice mark. The self-certification must be repeated annually. Independent certification will be introduced in 2011.
CIF will ensure credibility of the certifications through random audits, external complaints or whistle blower alerts. CIF will have the capability and authority to enforce removal of the certification mark from organisations deemed not to have complied with the Code of Practice.
Participants must pay a nominal fee to CIF to assist in the administration and governance of the Code of Practice. Annual self-certification fees vary depending on the turnover of the organisation (for example, a organisation with turnover of less than £250,000 will pay £200 per annum and an organisation with turnover of over £10 million will pay £2000 per annum).