AWS Certification Update – ISO 9001 and More

Today I would like to give you a quick update on the latest AWS certification and to bring you up to date on some of the existing ones.

Back in the early days of AWS and cloud computing, questions about security and compliance were fairly commonplace. These days, generally accepted wisdom seems to hold that the cloud can be even more secure than typical on-premises infrastructure. Security begins at design time and proceeds through implementation, operation, and certification & accreditation. Economies of scale and experience come in to play at each step and give the cloud provider an advantage over the lone enterprise.

ISO 9001 Certification
I am happy to announce that AWS has achieved ISO 9001 certification!

This certification allows AWS customers to run their quality-controlled IT workloads in the AWS cloud. It signifies that AWS has undergone a systematic, independent examination of our quality system. This quality system was found to have been implemented effectively and has been awarded an ISO 9001 certification as a result.

We believe that this certification will be of special interest and value to AWS customers in the life sciences and health care industries. Companies of this type (including drug manufacturers, laboratories, and those conducting clinical trials) have an FDA-mandated obligation to operate a Quality Management Program.

ISO 9001:2008 is a globally-recognized standard for managing the quality of products and services. The 9001 standard outlines a quality management system based on eight principles defined by the ISO Technical Committee for quality management and quality assurance. They include:

• Customer focus
• Leadership
• Involvement of people
• Process approach
• Systematic approach to management
• Continual Improvement
• Factual approach to decision-making
• Mutually beneficial supplier relationships

The key to the ongoing certification under this standard is establishing, maintaining and improving the organizational structure, responsibilities, procedures, processes, and resources for ensuring that the characteristics of AWS products and services consistently satisfy ISO 9001 quality requirements.

The certification also allows AWS customers to demonstrate to their customers and auditors that they are using a cloud service provider that has a robust, independently accredited quality management system. The certification covers the following nine AWS Regions: US East (N. Virginia), US West (Oregon), US West (N. California), AWS GovCloud (US), Europe (Ireland), South America (São Paulo), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Tokyo). The following services are in scope for these Regions:

• AWS CloudFormation
• AWS CloudHSM
• AWS CloudTrail
• AWS Direct Connect
• Amazon DynamoDB
• AWS Elastic Beanstalk
• Amazon Elastic Block Store (Amazon EBS)
• Amazon Elastic Compute Cloud (Amazon EC2)
• Elastic Load Balancing
• Amazon EMR
• Amazon ElastiCache
• Amazon Glacier
• AWS Identity and Access Management (IAM)
• Amazon Redshift
• Amazon Relational Database Service (RDS)
• Amazon Route 53
• Amazon Simple Storage Service (Amazon S3)
• Amazon SimpleDB
• Amazon Simple Workflow Service (SWF)
• AWS Storage Gateway
• Amazon Virtual Private Cloud (Amazon VPC)
• VM Import / VM Export

AWS was certified by EY CertifyPoint, an ISO certifying agent. There is no increase in service costs for any Region as a result of this certification. You can download a copy of the AWS certification and use it to jump-start your own certification efforts (you are not automatically certified by association; however, using an ISO 9001 certified provider like AWS can make your certification process easier). You may also want to read the AWS ISO 9001 FAQ.

Other Compliance News & Resources
We are also pleased to announce three additional achievements in the cloud compliance world:

• AWS is now listed as an Official Tier 3 Cloud Service Provider by the Multi-Tiered Cloud Security Standard Certification for Singapore.
• With Version 2.0 of PCI DSS set to expire at the end of 2014, AWS customers and potential customers should know that we achieved and were fully audited against the PCI DSS 3.0 standard a full 13 months early! This validation helps AWS customers obtain their own PCI certification in a timely manner.
• AWS has completed an independent assessment that has determined all applicable Australian Government Information Security Management controls are in place relating to the processing, storage and transmission of Unclassified (DLM) for the Asia Pacific (Sydney) Region.

As is always the case, the AWS Compliance Center contains the most current information about our certifications and accreditations. If you are interested in following along, subscribe to the AWS Security Blog.

— Jeff;