The overall process for self certification against the Code of Practice for Cloud Service Providers (the "Code") is outlined in the diagram below and is fully outlined in the document "Conducting the Self Certification" which can be downloaded from this page.
1. Recognise Need.
An organisation must first see a need for obtaining Certification against the Code. Typically this will be because it wishes to differentiate itself from other organisations which do not operate transparently and responsibly. It may also be driven by direct customer demand.
An organisation should download the Information Pack (of which this document is part) from the CIF website (www.cloudindustryforum.org), and review it. It will also be possible to inquire about the Code from industry sources, e.g. by doing a web search, or by reference to industry research organisations.
Registration is on-line at the CIF website, and requires payment of a fee together with the acceptance of the Terms and Conditions. (See also separate 'Costs' document IP13). The organisation may optionally choose to have its name listed on the CIF website as having registered. The organisation will then be able to download the Assessment Pack. (The Application must be submitted within 6 months of registration.) It is important to recognise before registration the commitments which are associated with Certification, e.g. acceptance of being audited, and recognition that Certification will be unilaterally rescinded by CIF together with the immediate withdrawal of permission (license) to use the Certification Mark if there is evidence of non-compliance with the Code.
- A formal project is established for performing the self-assessment and achieving Certification. At a minimum it should include the creation of a clearly defined project charter, project team, project plan, and an electronic filing system for the supporting documentation needed as part of self-assessment.
- Existing information should be gathered, both relating to transparency (information already published on the organisation's web site; and provided in commercial proposals); and relating to capability as demonstrated by documented internal management systems. If any of these do not yet exist, they should be created at this point, at least in prototype (e.g. disclosure information to be included in a commercial proposal).
The Assessment Form is completed, including cross-references to supporting documentation in the electronic Documentation File. This may be done directly using the on-line Assessment Form. Alternatively, the Excel version of the Assessment Form may be used for initial assessment work, to provide a control schedule for needed improvements in the next step. If there are any questions about whether a requirement is met, or if a requirement is not relevant for the organisation (under the 'comply or explain' principle), then reference is made to CIF, who will provide guidance or issue a numbered exemption if appropriate. Any requests should be sent to the administration for self certification (AdminSC@cloudindustryforum.org). Note that the on-line Assessment Form ultimately needs to be completed, which does not allow any comments - all requirements must be met, or have an authorised exemption number.
If any non-conformances are noted in the assessment step, then improvement actions are undertaken, after which the assessment step is repeated to the extent required to ensure that all non-conformances have been corrected.
The organisation completes the on-line Assessment Form, transferring information from the Excel spreadsheet version of the Assessment Form if used. The organisation also prepares, digitally signs and uploads its supporting documentation to CIF.
1) validates the completeness of the Self-Certification Application,
2) validates the digital signatures on the supporting documentation;
3) validates that the publicly declared information is actually available; and
4) confirms the professional reference.
The possibility exists that further information could be requested, up to a full audit, although this will not be the normal expectation.
If successfully validated, CIF formally recognises the Self-Certification of the organisation, and sends it the current Logo Pack with Certification Mark and detailed instructions for use.
The organisation displays the Code Certification Mark on its website, together with hyperlinks to the CIF website. CIF lists the organisation on its own website.