ENISA, the European Network and Information Security Agency, published a practical guide which focuses on continuous security monitoring throughout the life-cycle of a cloud contract. The guide intends to be an assurance framework and tool for IT teams to assess the security of service providers before making a decision to move to the cloud, and it is specially focused on public procurement.

The EU’s cyber security agency, ENISA, published a practical guide aimed at solving the information security problem on the procurement of cloud computing services. According to ENISA, the procurement of cloud computing services is an increasingly important task for governments and businesses across the EU.

The guide explains in particular, how to continuous security monitor throughout the life-cycle of a cloud contract. It focuses on public procurement, which according to the Eurostat figures from 2009, it accounts for nearly 20% of the EU's gross domestic product, around 2.2 trillion euro. Thus, the guide includes a checklist for procurement teams, as well as an in-depth description of each security parameter; what to measure and how. The security parameters covered are: service availability; incident response; service elasticity and load tolerance; data lifecycle management; technical compliance and vulnerability management; change management; data isolation; and log management and forensics.

Moreover, and according to one of the editors of the report, Dr Giles Hogben, the guide emphasises the use of continuous security monitoring, in addition to certification and accreditation processes. A recent ENISA survey on Service Level Agreements, (SLAs) showed that many IT officers in public sector organisations hardly receive any feedback on important security factors, such as service availability, or software vulnerabilities. The Procure Secure guide helps customers to prepare for monitoring security on an ongoing basis.