Cloud Security Mark Gold (CS Gold Mark)

CS Gold Mark overview

The Cloud Security Mark (CS Mark) is the first security standard for cloud service providers (CSPs) in Japan, and is based on ISO/IEC 27017, the international code of practice for information security controls. This in turn is based on ISO/IEC 27002 for cloud services, which address information security in cloud computing and the implementation of cloud-related information security controls.

The CS Mark is accredited by the Japan Information Security Audit Association (JASA), a nonprofit organization established by the Ministry of the Interior and the Ministry of Economy, Trade, and Industry to strengthen information security in Japan. The CS Mark promotes the use of cloud services and provides:

  • A common standard that CSPs can apply to address common customer concerns about the security and confidentiality of data in the cloud and the impact on business of using cloud services.
  • Verifiable operational transparency and visibility into the risks that customers face when they use cloud services.
  • Objective criteria that enterprises and government can use to choose a CSP, and clarification of the security requirements that CSPs must follow to be accredited.

JASA developed the Authorized Information Security Audit System (AISAS), which specifies the audit of approximately 1,500 controls covering such areas as organization for information, physical, and development security; the security of human resources; and business continuity, disaster recovery, and incident management. The AISAS offers CS Gold Mark accreditation that requires an independent auditor authorized by JASA to perform a stringent audit. A CS Gold Mark means that in-scope services can host important government data.

Microsoft and CS Gold Mark

After rigorous assessments by a JASA-certified auditor, Microsoft received the CS Gold Mark for all three service classifications. Accreditations were granted for Microsoft Azure Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), and for Microsoft Office 365 Software as a Service (SaaS). Microsoft was the first global CSP to receive this accreditation across all three classifications.

Microsoft in-scope cloud services

Audits, reports, and certificates

Accreditation is valid for three years, with a yearly surveillance audit to be conducted.

Frequently asked questions

Where do I start with my organization’s own compliance effort?

If your organization is using Azure or Office 365, you need to ensure that the CS Mark addresses your own security requirements. If CS Mark does address your security requirements, then you can use the Microsoft accreditation and audit report as part of your own accreditation process. You are responsible for engaging an auditor to evaluate your implementation for compliance, and for the controls and processes within your own organization.