Amazon Web Services (AWS) was the first global cloud service provider to achieve the Singapore Multi-Tier Cloud Security Standard (MTCS SS 584) Level-3 (CSP) certification for Singapore. The scope was expanded to Seoul in 2019, and to US-East (Ohio), US-East (N.Virginia), US-West (Oregon), and US-West (N.California) regions in 2020. This certification gives organizations the clarity to utilize AWS to host and process their highly confidential data in Singapore, South Korea, and in the United States. For more details, access the MTCS certification via AWS Artifact.
What is the MTCS Certification?
The Multi-Tier Cloud Security (MTCS) is an operational Singapore security management Standard (SPRING SS 584), based on ISO 27001/02 Information Security Management System (ISMS) standards. The certification assessment requires us to:
- Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities;
- Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks;
- Adopt an overarching management process to ensure that the information security controls meet our information security needs on an ongoing basis.
The key to the ongoing three-year certification under this standard is the effective management of a rigorous security program and annual monitoring by an MTCS Certifying Body (CB). The Information Security Management System (ISMS) required under this standard defines how AWS perpetually manages security in a holistic, comprehensive way.
The MTCS certification is specifically focused on the AWS operational deployment of the ISO 27001/02 ISMS and how AWS's internal processes comply with the MTCS Level 3 certification requirements. Certification means a third-party CB has performed an assessment of AWS processes and controls, and confirms they are operating in alignment with the comprehensive MTCS Level 3 certification requirements.
Which AWS services are covered by the MTCS Certification?
Background on the Singapore MTCS Certification
The Multi-Tier Cloud Security (MTCS) Singapore standard is developed under the Information Technology Standards Committee (ITSC). The ITSC was formed in 1990, under the purview of the Singapore Standards Council appointed by SPRING Singapore. It is an industry-led effort made up of volunteer members from the industry, and supported by SPRING Singapore and IMDA Singapore. It is a neutral and open platform for interested industry and government parties to come together to agree on technical standards. SPRING Singapore is an agency under the Ministry of Trade and Industry of Singapore.
The objective of MTCS is to encourage adoption of sound risk management and security practices for cloud computing by providing relevant cloud security practices and controls for CSPs, so that they can strengthen and demonstrate the cloud security controls in their cloud environments.
The Standard was first published on 13 November 2013 through the Spring Standards and subsequent assessment guidance, approved certifying bodies (CBs) and cross-certification guidance from ISO/IEC 27001 was published on 14 February 2014. The latest version (Second revision) was published in October 2020.
Background on the MTCS Certification for Seoul Region
In addition to the MTCS certificate for the Singapore region, AWS achieved the Multi-Tier Cloud Security Standard (MTCS) Level-3 certification for Seoul region in April 2019. AWS was also the first cloud service provider in Korea to do so. As a result of its review on the MTCS certification system, Korean FSI regulator determined that the MTCS certification system is consistent with the RSEFT standard and recognized the MTCS Level-3 certification for FSI customers in Korea. With the MTCS, FSI customers in Korea can accelerate cloud adoption by no longer having to validate 109 controls, as required in the relevant regulations (Financial Security Institute’s Guideline on Use of Cloud Computing Services in Financial Industry and the Regulation on Supervision on Electronic Financial Transactions (RSEFT)). AWS also published a workbook for Korean FSI customer, covering those and 32 additional controls from the RSEFT. A copy of the AWS MTCS certificate for Seoul region and AWS Workbook for Korean FSI customers are available to customers by using AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. Sign into AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.