The First Accredited Cloud Service Providers

by Chris Challis on 18.11.2011 08:24
You may have seen mention of the Cloud Industry Forum, both from me and others. The CIF has published a “Code of Practice” for cloud service providers. On Monday the first five providers to self-certify against the Code were announced at a special event. The five gave presentations and answered questions on their experiences. These were both the benefits of getting organized to comply (and the effort needed) and the very positive impact on securing new customers.

As this is a scheme principally aimed to be of benefit to end-users, it’s worth you knowing more about it whether you are a provider or end-user. Here goes…


The “CIF Code” (or “CIF CoP”, as it’s affectionately known), sets out a checklist of aspects that a cloud service provider should provide. It addresses the full gamut of issues, such as security. It also addresses the sharp practices that even the better known providers used to do, such as refusing to provide customer’s data to them if they wished to move to another system.

There are also plans to develop statements of best practice in each area. I became a member of the Governance Board for the CoP at the eleventh hour of producing the initial Code, principally to help develop the Code beyond that initial version and develop the associated best practice.


The Code is aimed for the benefit of end-users, though provides several benefits for cloud service providers as below. The Code arose because there is no other definitive standard for cloud service providers. There are standards, that address some or even most of the issues, both here and principally in the US. There are also a number of initiatives such as the BASDA code. But none of these quite hits the spot across all types of cloud services in terms of:
  • What customers need to know about a potential cloud provider
  • What the cloud provider ought to be doing to provide a fully professional service, be they serving SMEs or corporates
The Code therefore provides the best yardstick yet available for end-users to assess and compare cloud service providers of any type when making a selection.

However the Code does need expanding in some areas, and perhaps reducing in others to keep it concise. For example, the security heading could be split out into sub-headings, and aspects of upgrades introduced. Any feedback that you can give me, either as end-user or provider, will be useful to feed into the development process. Preparation for the next version of the Code has already begun.


The accreditation of providers is currently a self-certification process. This will be policed using feedback from customers and competitors, which should be reasonably effective. Nonetheless a fully audited accreditation will follow, perhaps when the next version of the Code is released, having taken all feedback into account..


Representatives of all five companies that have become accredited presented and answered questions on Monday. The common themes were:
  • Preparation had usefully helped them pull everything they needed into one place, even if they already had it. Filling in the gaps was also useful
  • Compliance and certification had already brought additional business. In the case of the smallest provider, being able to sell to corporate customers for the first time was obviously valuable.- a much more lucrative market for them
Whilst there are these positive benefits to providers, I’m sure it won’t be long before the lack of a CIF accreditation will be a major barrier to getting business..

Clearly then it is in the best interests of the better cloud service providers to become accredited and stand out from the "cloud crowd". For those that don’t yet reach the standard, it is now time to step up to the plate or potentially be out of business. Compliance with the CIF Code will inevitably become a regular checklist item for any selection, be they formal or informal, for SMEs, corporates or government. It is therefore a virtual necessity for a cloud service provider to become accredited as soon as possible.

The CIF fees are modest. Many providers can do the accreditation themselves, especially if they are already accredited to any of the other standards. Other providers may need some external help to gain the benefits. (I’m not expecting to be involved in such work, but can make some suggestions if contacted)


Accreditation under the CIF code will become a distinguishing factor in selecting any cloud system. I’m certainly adding it to selection checklists for the future.

But please be aware that accreditation under the code is more about disclosure than whether what is being done is good enough. That is something you still have to assess, but at least you should have the information from accredited providers to be able to do so.


CIF is also carrying out some very useful research work. The latest white paper, number 4, has assessed what end-user organisations are looking for and concerned about when looking at cloud services. This in itself will be a useful input to development of the Code.

The issues seem to be consistent across all types and sizes of organisation, whether they are using cloud services or are yet to do so.

The main concerns not surprisingly centre around “security”, being various aspects such as access control, and disaster recovery. It is clear that providers still need to re-assure end-users in these areas. But the better providers will go one stage further and clearly show that what they provide is better than running a system in-house. That is one of the key benefits of cloud services.

So it’s worth both end-users and providers taking a look at these publications.


Do check out these links to the CIF website:
  1. Home page
  2. Code of Practice
  3. Whitepapers
  4. Becoming accredited

Whilst talking about cloud, Richard Anning has already posted today about the event on 30th November. This is a webinar that will take a look at cloud accounting at both ends of the SME spectrum, i.e. everyone below the size of larger corporates. Should be a fascinating event. Click here for further details.