SS584


SS 584 is an information security standard, published by Singapore Standards. The standard was last revised in 2015.
SS 584 specifies a Management system for Cloud Security, to three levels. Organizations that meet the requirements may be certified by an accredited certification body following successful completion of an audit.

Rationale

Although most Cloud Service Providers are certified to ISO 27000, the ISO standard does not focus on the unique risks arising from provisioning via the Cloud. Smaller customers also have difficulty assessing if a CSP's ISMS is sufficient for their needs, as ISO 27001 is risk-based, and may vary significantly between implementations. This may be a barrier to adoption by SMEs, who would like a simpler way to decide if a CSP meets their needs.
To encourage adoption of Cloud Services, the then IDA established a series of groups in 2012 to produce a standard that CSPs could certify to. The standard would have multiple levels of security assurance:
Note that the standard interchangeably uses the terms "tiers" and "levels".

History of SS 584

SS584:2013 was issued in 2013, and the program was initially administered by IDA.
In 2015, the standard was revised. At this time, Accreditation was handed over to the Singapore Accreditation Council, a division of Enterprise Singapore, in line with other Singapore Standards.
As of late 2019, the standard is being revised again, with inputs from industry, and a new version may be issued in 2020.

Certification

CSPs that wish to have their services certified must classify each into IaaS, PaaS, or SaaS. They also decide to which level they wish to demonstrate compliance.
For compliance to Level 3, the CSP must be certified to ISO/IEC 27001.
CSPs must obtain the services of an Accredited Certification Body, who will audit the management system of the CSP for compliance to SS 584. The CB will then issue a Certificate attesting to this, usually valid for three years. Annual Surveillance Audits are required.
A list of Services and CSPs certified is available. Examples of Certified CSPs include IBM and AWS.

Overseas Acceptance

Although the standard is not an International standard, as the first national standard to address Cloud Security, it has seen acceptance outside Singapore. In particular, the Korean RSEFT regulations recognise SS 584 as meeting most of the requirements for CSPs.
Documents from Datamation and CloudwatchHUB describe the international use and impact of this standard.