Cloud Security Mark (Gold)
The Cloud Security Mark (CS Mark) is the first security standard for cloud service providers (CSPs) in Japan, and is based on ISO/IEC 27017, the international code of practice for information security controls. This in turn is based on ISO/IEC 27002 for cloud services, which addresses information security in cloud computing and the implementation of cloud-related information security controls.
The CS Mark is accredited by the Japan Information Security Audit Association (JASA), a nonprofit organization established by the Ministry of the Interior and the Ministry of Economy, Trade, and Industry to strengthen information security in Japan. The CS Mark promotes the use of cloud services and provides:
- A common standard that CSPs can apply to address common customer concerns about the security and confidentiality of data in the cloud and the impact on business of using cloud services.
- Verifiable operational transparency and visibility into the risks that customers face when they use cloud services.
- Objective criteria that enterprises and government can use to choose a CSP, and clarification of the security requirements that CSPs must follow to be accredited.
JASA developed the Authorized Information Security Audit System (AISAS), which specifies the audit of approximately 1,500 controls covering such areas as organization for information, physical, and development security; the security of human resources; and business continuity, disaster recovery, and incident management. The AISAS offers CS Gold Mark accreditation that requires an independent auditor authorized by JASA to perform a stringent audit. A CS Gold Mark means that in-scope services can host important government data.
After rigorous assessments by a JASA-certified auditor, Microsoft received the CS Gold Mark for all three service classifications. Accreditations were granted for Microsoft Azure Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), and for Microsoft Office 365 Software as a Service (SaaS). Microsoft was the first global CSP to receive this accreditation across all three classifications.
Frequently asked questions
If your organization is using Azure or Office 365, you will need to ensure that the CS Mark addresses your own security requirements. If CS Mark does address your security requirements, then you can use the Microsoft accreditation and audit report as part of your own accreditation process. You are responsible for engaging an auditor to evaluate your implementation for compliance, and for the controls and processes within your own organization.
Accreditation is valid for three years, with a yearly surveillance audit to be conducted.
CS Gold Mark for Azure and Office 365 (Japanese)
Microsoft in-scope cloud services
API Management, Automation, Azure Active Directory, Azure Management Portal, Batch, Cloud Services, Event Hubs, ExpressRoute, HDInsight, Media Services, Mobile Services, Multi-Factor Authentication, Notification Hub, Operational Insights, Redis Cache, Rights Management Services, Scheduler, Self-Service Group Management (Azure AD), Service Bus, SQL Database, Storage, Storage Premium, Sync Fabric (Azure AD), Traffic Manager, Virtual Machines, Virtual Network, and Web Apps
- Office 365 detailed list