The Multi-Tier Cloud Security (MTCS) is an operational Singapore security management Standard (SPRING SS 584:2013), based on ISO 27001/02 Information Security Management System (ISMS) standards. The certification assessment requires us to:
Systematically evaluate our information security risks, taking into account the impact of company threats and vulnerabilities;
Design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks;
Adopt an overarching management process to ensure that the information security controls meet our information security needs on an ongoing basis.
The key to the ongoing three-year certification under this standard is the effective management of a rigorous security program and annual monitoring by an MTCS Certifying Body (CB). The Information Security Management System (ISMS) required under this standard defines how AWS perpetually manages security in a holistic, comprehensive way.
The MTCS certification is specifically focused on the AWS operational deployment of the ISO 27001/02 ISMS and how AWS’s internal processes comply with the MTCS Level 3 certification requirements. Certification means a third-party CB has performed an assessment of AWS processes and controls, and confirms they are operating in alignment with the comprehensive MTCS Level 3 certification requirements.
The Multi-Tier Cloud Security (MTCS) Singapore standard is developed under the Information Technology Standards Committee (ITSC). The ITSC was formed in 1990, under the purview of the Singapore Standards Council appointed by SPRING Singapore. It is an industry-led effort made up of volunteer members from the industry, and supported by SPRING Singapore and IDA Singapore. It is a neutral and open platform for interested industry and government parties to come together to agree on technical standards. SPRING Singapore is an agency under the Ministry of Trade and Industry of Singapore.
The objective of MTCS is to encourage adoption of sound risk management and security practices for cloud computing by providing relevant cloud security practices and controls for CSPs, so that they can strengthen and demonstrate the cloud security controls in their cloud environments.
The Standard was published on 13 November 2013 through the Spring Standards and subsequent assessment guidance, approved certifying bodies (CBs) and cross-certification guidance from ISO/IEC 27001 was published on 14 February 2014.