Certification
The Cloud Industry Forum (CIF) Code of Practice, managed by CIF’s independent certification partner, APM Group, is a credible, certifiable tool that allows Cloud Service Providers (CPS) to demonstrate that they meet specified requirements of transparency, accountability and capability. It aims to standardise enterprises offering cloud services to provide clarity and assurance to end users seeking to migrate to the cloud.
Having been members of CIF since its inception, Outsourcery were heavily involved in the creation of the Code of Practice, and highly attuned to its benefits. Certifying to the Code aligned with Outsourcery’s ethos of continual improvement, offering an opportunity to secure independent validation of their services.
Outsourcery: Founder member
Founded in 2007, Outsourcery is a world-leading Cloud Service Provider (CSP) based in the UK. The company aims to remove the need for businesses of all sizes to own and manage IT, unified communications, video applications and infrastructure. End-customers range from start-ups to FTSE-100 companies. Outsourcery is a founding member of the CIF.
Why choose the CIF Code of Practice?
“As one of CIF’s founding members, and having been involved with the initial consultation process for the Code of Practice itself, it’s something that we have been fully committed to from day one. From a business point of view, achieving certification is a case of us practicing what we preach. You can’t go out in the marketplace and encourage best practice, if you’re not adhering to industry standards yourself,” explained Piers Linney, co-CEO of Outsourcery.
Rosie Jackson, Head of Product Marketing at Outsourcery, said: “A crucial element of the CIF Code of Practice is trust. With no internationally recognised cloud standards currently available in the market, end users have few benchmarks against which they can measure CSPs. The Code provides such a benchmark, ensuring that users of cloud services have access to all of the information they would need to be able to make informed choices about their provider. Certifying against the Code means that we’ve been scrutinised by a trusted and independent third party and have been found to be a trustworthy cloud provider. Essentially it’s a one-stop-shop for customers and partners.”
What makes it different?
Although Outsourcery had already certified against a range of industry standards, their scope did not extend to a specific cloud standard. Moreover, it was the Code of Practice’s focus on the needs of end users that made it an attractive proposition for Outsourcery.
Barry Holder, Information Security and Compliance Manager at Outsourcery, said: “We are already compliant with a number of industry standards, including ISO 27001, IS0 9001 and ISO 14001, but while these standards have implications for cloud services provision, they don’t directly map to cloud computing. The Code of Practice has been developed specifically for cloud, and centres on operational transparency.
“Another key difference is that it is geared towards end users. At every stage in the certification process, APM Group scrutinised the information provided purely from the point of view of a customer, rather than that of an auditor. This kind of external assessment means that we have been able to improve the way that we present key information about our services, become more user-friendly, and as a result, make ourselves easier and more attractive to do business with.”
Certification process
The entire process is overseen by APM Group, who provide supporting documentation, guidance where required, and assess applications for Self Certification. Outsourcery achieved the certification in just over a month although other organisations have taken much longer .
Barry explained: “Overall the process took about a month, but this by no means reflects the normal length of time. The speed at which we achieved the certification in part owes to our historical relationship with CIF, which meant that we had already embedded many of their best practice recommendations in the business and our culture. However, the biggest advantage was that we were already compliant with a number of ISO standards, which meant that much of the documentation required for the Code of Practice had previously been produced. For the ISO uninitiated, the process would take a good deal longer.
“That being said, the process was still rigorous and time consuming. We had a total of four staff members directly involved in the certification process, although a number of other staff were brought in to advise on the various requirements of the Code. The main takeaway here is that any CSP that undertakes certification under the belief that it’s a simple box-ticking exercise, will be sorely disappointed,” he continued.
Partner networks
Under the CIF CoP, CSPs are permitted to use existing certifications towards CIF self-certified status, including the CIF certified status of partners. APM Group has been working with CIF to encourage larger vendors who provide the vital infrastructure to smaller CSPs to go through the CIF certification process, which will not only provide an added level of credibility at the very start of the cloud supply chain but will mean larger providers can enable their certified status to be used by network partners who use the infrastructure to deploy services to customers.
Outsourcery plans to leverage its certification to encourage its network of partners to certify, key to their plans of creating a more trustworthy and transparent cloud industry.
“CSPs do not need to provide all aspects of service delivery and can effectively ‘share’ certifications with partners,” Rosie continued. “Having now achieved the certification for ourselves, we will be actively encouraging CSPs in our partner network to follow suit. Ensuring transparency at every touch point on the cloud supply chain is key to creating a fully sustainable and trustworthy cloud ecosystem.”
The benefits
Although Outsourcery has experienced a range of benefits from certifying, the main winner has been their customers, explained Rosie: “Certifying against the Code of Practice has ultimately made our business more transparent, and further cemented our commitment to best practice. Having gone through the process, we realised that some of our documentation was not as clear as it could have been. For example, we implemented some changes to our high-level security documentation, to improve transparency.
“The public disclosure element of the Code requires us to place all pertinent information about our services and organisational set-up on an externally hosted site. With this key information in one place, any customer or prospect can quickly find everything that they would need to be able to make an informed choice about their CSP.
“In addition, a key part of our business strategy is building a federation of trusted, responsible and accountable cloud partners, which will, in turn, help to raise standards in the cloud industry. The Code of Practice will help us on the way to achieving this vision. Although it’s still early days, it’s encouraging to see that a number of our partners have already expressed interest in pursuing the certification,” she concluded.