Oracle is committed to helping customers operate globally in a fast-changing business environment and address the challenges of an ever more complex regulatory environment.
Cloud computing is fundamentally different from traditionally on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS).
Before deploying Oracle cloud services, Oracle strongly recommends that cloud customers formally analyze their cloud strategy to determine the suitability of using the applicable Oracle cloud services in light of their own legal and regulatory compliance obligations. Making this determination remains solely the responsibility of customers.
Oracle provides information about frameworks for which an Oracle line of business has achieved a third-party attestation or certification for one or more of its services in the form of “attestations.” These attestations can assist in your compliance and reporting, providing independent assessment of the security, privacy and compliance controls of the applicable Oracle cloud services. In reviewing these third-party attestations, it is important that you consider they are generally specific to a certain cloud service and may also be specific to a certain data center or geographic region. Clicking on a compliance framework retrieves the relevant detail. Please note that this information is subject to change and may be updated frequently, is provided “as-is” and without warranty and is not incorporated into contracts.
Customers can obtain more information about available attestations by contacting their Oracle sales representative.
Attestation |
Oracle Cloud Infrastructure |
Oracle Applications |
NetSuite |
Oracle Industries |
Oracle Health |
---|---|---|---|---|---|
CSA STAR Cloud Security Alliance Security Trust Assurance and Risk CSA STARThe Cloud Security Alliance (CSA) is an organization that promotes best practices for providing security assurance in cloud computing. The CSA Security Trust, Assurance and Risk (STAR) attestation provides for an assessment to be performed by a reputable third-party that affirms implementation of necessary security controls. This assessment is based on the CSA Cloud Controls Matrix (CCM) and controls from SOC 2 and ISO/IEC 27001. For more information, see https://cloudsecurityalliance.org/star/ |
yes |
yes |
|||
GSMA SAS-SM GSMA SAS-SM Data Centre Operations and Management GSMA SAS-SMGlobal System for Mobile communications Association (GSMA) is a global organization that represents the interests of mobile network operators and related companies in the telecommunications industry. The GSMA’s Security Accreditation Scheme (SAS) is intended to enable mobile operators to assess the security of their Universal Integrated Circuit Card (UICC )and embedded UICC (eUICC) suppliers, and of their eUICC subscription management service providers. For more information, see https://www.gsma.com/security/security-accreditation-scheme/ |
yes |
||||
ISO 9001 ISO 9001: Quality Management Systems ISO 9001The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization. The ISO 9001 standard family is based on a number of quality management principles including a strong customer focus. It is intended “to help organizations demonstrate its ability to consistently provide customers good quality products and services.” For more information, see https://www.iso.org/standard/62085.html |
yes |
yes |
|||
ISO/IEC 20000-1 ISO/IEC 20000-1: Service Management Systems ISO/IEC 20000-1The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 20000-1 service management system (SMS) standard. It is intended to help design, transition, deliver and improve services to fulfil agreed service requirements. For more information, see https://www.iso.org/standard/70636.html |
yes |
||||
ISO/IEC 27001 ISO/IEC 27001: Information Security Management Systems ISO/IEC 27001The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted the internationally recognized ISO/IEC 27001 Standard. It is intended to provide guidance for establishment and continuous improvement of an information security management system (ISMS) within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. For more information, see https://www.iso.org/isoiec-27001-information-security.html |
yes |
yes |
yes |
yes |
yes |
ISO/IEC 27017 ISO/IEC 27017: Cloud Specific Controls ISO/IEC 27017The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27017, a set of guidelines for information security controls applicable to the provision and use of cloud services. It is intended to provide additional implementation guidance for relevant controls specified in ISO/IEC 27002 and guidance that specifically relates to cloud services. For more information, see https://www.iso.org/standard/82878.html |
yes |
yes |
yes |
||
ISO/IEC 27018 ISO/IEC 27018: Personal Information Protection Controls ISO/IEC 27018The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27018, to be used in conjunction with the information security objectives and controls in ISO/IEC 27002. It is intended to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a Personally Identifiable Information (PII) processor. For more information, see https://www.iso.org/standard/76559.html |
yes |
yes |
yes |
yes |
yes |
ISO/IEC 27701 ISO/IEC 27701: Privacy Information Management ISO/IEC 27701The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drafted ISO/IEC 27701. It is intended to provide guidance for the establishment and continuous improvement of a Privacy Information Management System (PIMS) which is processing Personally Identifiable Information (PII). This standard is an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management. For more information, see https://www.iso.org/standard/71670.html |
yes |
||||
PCI DSS Payment Card Industry Data Security Standard PCI DSSThe Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. It is intended to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security practices globally. The PCI DSS standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council (PCI SSC). For more information, see https://www.pcisecuritystandards.org/ |
yes |
yes |
yes |
yes |
yes |
SOC 1 System and Organization Controls 1 SOC 1The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 1 report helps companies to establish trust and confidence in their service delivery processes and controls. The intent of these reports focuses on Internal Controls over Financial Reporting (ICFR). For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-1 |
yes |
yes |
yes |
yes |
yes |
SOC 2 System and Organization Controls 2 SOC 2The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 2 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy Trust Criteria. The intent of this report is to provide detailed information and assurance about the controls relevant to security, availability, and processing integrity of the systems used to process users’ data and the confidentiality and privacy of the information processed by these systems. For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2 |
yes |
yes |
yes |
yes |
yes |
SOC 3 System and Organization Controls 3 SOC 3The System and Organization Controls (SOC) is a program from the American Institute of Certified Public Accountants (AICPA). It is intended to provide internal control reports on the services provided by a service organization. A SOC 3 report outlines information related to a service organization’s internal controls for security, availability, processing integrity, confidentiality or privacy. These reports are shorter than SOC 2 reports and have less details. For more information, see https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-3 |
yes |
yes |
yes |
Attestation |
Oracle Cloud Infrastructure |
Oracle Applications |
NetSuite |
Oracle Industries |
Oracle Health |
---|---|---|---|---|---|
DoD DISA SRG Department of Defense, Defense Information Systems Agency, Systems Requirement Guide DoD DISA SRGThe Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the US Department of Defense (DoD) will assess the security posture of non-DoD cloud service providers (CSPs). Additionally, the CC SRG explains how non-DoD CSPs can show they meet the security controls and requirements before handling any DoD data. CC SRG provides for the following categorization:
For more information, see https://dl.dod.cyber.mil/wp-content/uploads/cloud/zip/U_Cloud_Computing_SRG_V1R4.zip |
yes |
yes |
|||
FedRAMP Federal Risk and Authorization Management Program FedRAMPThe Federal Risk and Authorization Management Program (FedRAMP) is a US government program designed to provide a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. US federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services. FedRAMP uses the National Institute of Standards and Technology (NIST) Special Publication 800-53, which provides a catalog of security controls for all US federal information systems. FedRAMP requires cloud service providers (CSPs) to receive an independent security review performed by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA). For more information, see https://marketplace.fedramp.gov/#!/products?sort=productName&productNameSearch=oracle |
yes |
yes |
|||
FIPS 140 Federal Information Processing Standards Publication 140 FIPS 140The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard published by the National Institute of Standards and Technology (NIST) that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. For more information, see https://csrc.nist.gov/publications/detail/fips/140/2/final Learn more about Oracle's FIPS certifications: https://www.oracle.com/corporate/security-practices/assurance/development/external-security-evaluations/fips/certifications.html |
Not applicable | Not applicable | Not applicable | Not applicable | |
HITRUST CSF Health Information Trust Alliance Common Security Framework HITRUST CSFThe Health Information Trust Alliance (HITRUST) is an organization representing the healthcare industry. HITRUST created and maintains the Common Security Framework (CSF), a framework against which cloud service providers (CSPs) and covered health entities can demonstrate compliance to US Health Insurance Portability and Accountability Act (HIPAA) requirements. For more information, see https://hitrustalliance.net/ |
yes |
yes |
|||
HIPAA Health Insurance Portability and Accountability Act HIPAAThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law. It requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. For more information, see https://www.hhs.gov/hipaa/ |
yes |
yes |
yes |
yes |
yes |
State RAMP: TX-RAMP Texas Risk and Authorization Management Program (TX-RAMP) State RAMP: TX-RAMPThe Texas Risk and Authorization Management Program (TX-RAMP) is “a framework for collecting information about cloud services security posture and assessing responses for compliance with required controls and documentation.” For more information, see https://dir.texas.gov/information-security/texas-risk-and-authorization-management-program-tx-ramp |
yes |
yes |
yes |
Attestation |
Oracle Cloud Infrastructure |
Oracle Applications |
NetSuite |
Oracle Industries |
Oracle Health |
---|---|---|---|---|---|
ACN Italian Public Administration Directorial Decree Prot. N. 5489 ACNThe Italian National Cybersecurity Agency (Agenzia Per La Cybersicurezza nazionale or ACN) is an Italian government body that manages “Catalog of qualified Cloud services for the Public Administration (PA)”. ACN provides “a qualification path for public and private entities to provide Cloud infrastructures and services to the Public Administration (PA) with high standards of security, efficiency and reliability”. For more information, see https://www.acn.gov.it/portale/en/cloud/regolamento-cloud-per-la-pa |
yes |
yes |
|||
C5 Cloud Computing Compliance Controls Catalog C5The Cloud Computing Compliance Controls Catalog (C5) was created by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) in 2016. The intent of this standard is to establish a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with the government. For more information, see https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Empfehlungen-nach-Angriffszielen/Cloud-Computing/Kriterienkatalog-C5/C5_Einfuehrung/C5_Einfuehrung_node.html |
yes |
yes |
|||
CST CCRF Cloud Computing Regulatory Framework (CST CCRF) CST CCRFThe Communications, Space & Technology Commission (CST) of Saudi Arabia has issued the Cloud Computing Regulatory Framework (CCRF). The Regulatory Framework applies to the cloud computing services provided to subscribers residing in or having a subscriber’s address in the Kingdom and establishes a number of security and privacy requirements. For more information, see https://www.cst.gov.sa/en/RulesandSystems/RegulatoryDocuments/ Documents/CCRF_En.pdf |
|||||
Cyber Essentials Cyber Essentials Cyber EssentialsThe Cyber Essentials is a UK government scheme intended to help participating organizations protect themselves against a whole range of the most common cyber-attacks. The scheme intends to establish more rigorous testing of the organization’s cyber security systems where cyber security experts carry out vulnerability tests to make sure the organization is protected against basic hacking and phishing attacks. For more information, see https://www.ncsc.gov.uk/cyberessentials/overview |
yes |
yes |
yes |
||
DESC CSPSS Dubai Electronic Security Center (DESC) Cloud Service Provider (CSP) Security Standard DESC CSPSSThe Cloud Service Provider (CSP) Security Standard produced by Dubai Electronic Security Center (DESC) is a set of requirements and guidance for CSPs and organizations using cloud services. |
yes |
yes |
|||
ENS Esquema Nacional de Seguridad (Law 11/2007) ENSLaw 11/2007 in Spain establishes a legal framework to give citizens electronic access to government and public services. Aligned with the ISO/IEC 27001 Standard, the framework defines a set of security controls for availability, authenticity, integrity, confidentiality, and traceability. The certification establishes security standards that apply to all government agencies and public organizations in Spain, as well as related service providers. For more information, see https://administracionelectronica.gob.es/pae_Home/pae_Estrategias/pae_Seguridad_Inicio/pae_Esquema_Nacional_de_Seguridad.html?idioma=en#.YH9f2edlCUm |
yes |
yes |
yes |
||
EU Cloud CoC European Union (EU) Cloud Code of Conduct EU Cloud CoC'The European Union (EU) Cloud Code of Conduct is a set of requirements that can help Cloud Service Provider (CSPs) document their controls in relation to the European Union's General Data Protection Regulation (GDPR). The EU’s intention is "to make it easier for cloud customers to determine whether certain cloud services are appropriate for their designated purpose". For more information, see https://eucoc.cloud/en/about/about-eu-cloud-coc/ |
yes |
yes |
|||
HDS Hébergeur de Données de Santé HDSHébergeur de Données de Santé (HDS) is a formal certification required by French laws. It is required for any commercial organizations who control, store, process, or transmit personally identifiable healthcare information in France. For more information, see https://esante.gouv.fr/labels-certifications/hebergement-des-donnees-de-sante |
yes |
yes |
yes |
||
TISAX Trusted Information Security Assessment Exchange TISAXThe Trusted Information Security Assessment Exchange (TISAX) is an assessment and exchange mechanism for the information security of enterprises and allows recognition of assessment results among the participants. It is maintained by the ENX Association, an organization consisting of automobile manufacturers, suppliers and national automotive associations. For more information, see https://enx.com/en-US/TISAX/ |
yes |
yes |
|||
UAE IAR Information Security Requirements United Arab Emirates (UAE) Information Assurance Regulation (IAR) Information Security Requirements UAE IAR Information Security RequirementsThe United Arab Emirates (UAE) Telecommunication Regulatory Authority (TRA) has issued Information Assurance Regulation (IAR) to provide information security requirements for the critical infrastructure sectors in UAE. TRA-designated entities are required to implement the IAR framework and apply its requirements to the use, processing, storage, and transmission of information or data. For more information, see https://www.tdra.gov.ae/en/about-tra/telecommunication-sector/regulations-and-ruling/details.aspx#documents |
yes |
yes |
Attestation |
Oracle Cloud Infrastructure |
Oracle Applications |
NetSuite |
Oracle Industries |
Oracle Health |
---|---|---|---|---|---|
Hosting Certification Framework Australia Hosting Certification Framework (the Framework) Hosting Certification FrameworkThe Australian Government’s Hosting Certification Framework is intended to provide “guidance to Australian Government customers enabling them to identify and source hosting services that meet enhanced privacy, sovereignty and security requirements.” For more information, see https://www.hostingcertification.gov.au/framework |
yes |
||||
IRAP Information Security Registered Assessor Program IRAPThe Information Security Registered Assessors Program (IRAP) is an Australian Signals Directorate (ASD) initiative. IRAP is the assessors' program developed by the Australian government Cyber Security Centre (ASD/ACSC) for assessing cloud services for government and non-government agency use. It is intended “to provide the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments”. For more information, see https://www.cyber.gov.au/irap |
yes |
yes |
|||
ISMAP Information System Security Management and Assessment Program ISMAPThe Information System Security Management and Assessment Program (ISMAP) is a Japanese government program for assessing the security of public cloud services. It is intended “to enable a common set of security standards for the Cloud Service Provider (CSP) to comply as baseline requirements for government procurement.” For more information, see https://www.oracle.com/jp/cloud/compliance/ismap/ |
yes |
||||
ISMS (formerly K-ISMS) Information Security Management System ISMS (formerly K-ISMS)The Korean Information Security Management System (formerly K-ISMS, now ISMS) is a country-specific ISMS framework. It is intended to define a set of control requirements designed to help ensure that organizations in Korea consistently and securely protect their information assets. For more information, see https://elaw.klri.re.kr/eng_service/ebook.do?hseq=38422#68 |
yes |
||||
MeitY IT Security Guidelines Ministry of Electronics and Information Technology (MeitY) Information Technology (IT) Security Guidelines MeitY IT Security GuidelinesIndia's Ministry of Electronics and Information Technology (MeitY) has defined the Information Technology Security Guidelines as a set of standards and guidelines that cloud services can be certified against in areas including security, interoperability, data portability, service level agreement, contractual terms and conditions. These guidelines are based on global information security standards such as ISO/IEC 27001:2013; ISO/IEC 20000:1; ISO/IEC 27017:2015; ISO/IEC 27018:2014; and TIA-942/ UPTIME (Tier III or higher). For more information, see https://www.meity.gov.in/writereaddata/files/act2000_0.pdf |
yes |
||||
MTCS Singapore Multi-Tier Cloud Security Standard MTCSThe Multi-Tier Cloud Security (MTCS) Standard for Singapore was prepared under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Development Authority of Singapore (IDA). It is intended “to promote and facilitate national programs to standardize IT and communications, and Singapore's participation in international standardization activities.” For more information, see https://www.imda.gov.sg/regulations-and-licensing-listing/ict-standards-and-quality-of-service/it-standards-and-frameworks/compliance-and-certification |
yes |
yes |
|||
OSPAR Outsourced Service Provider’s Audit Report (OSPAR) OSPARThe Association of Banks in Singapore (“ABS”) provides Guidelines on Control Objectives and Procedures for the Financial Institution’s Outsourced Service Providers (“OSPs”) operating in Singapore. ABS defines guidance for providers of outsourced services which are material to banks or have access to the financial institution clients’ information. For more information, refer https://www.abs.org.sg/industry-guidelines/outsourcing |
yes |
Oracle provides general information about some of the compliance frameworks listed below in the form of “advisories.” These advisories are provided to help you in your determination of the suitability of using specific Oracle cloud services as well as to assist you in implementing specific technical controls that may help you meet your compliance obligations. These advisories are not legal advice and you remain solely responsible for determining if a specific Oracle cloud service or configuration, or both, meets your legal and regulatory obligations.
Region | Country | Advisories |
---|---|---|
Global |
GxP Good Practice Guidelines |
|
Americas | Brazil | Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements
Central Bank of Brazil (BACEN) Resolution 4893 Digital Service Requirements |
Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18 Lei Geral de Proteção de Dados Lei (LGPD) Federal 13.709/18 |
||
Canada | Canadian Security Requirements for Protected B information Canadian Security Requirements for Protected B information |
|
Office of the Superintendent of Financial Institutions (OSFI) Guideline: Outsourcing of Business Activities, Functions and Processes (No. B-10) |
||
Personal Information Protection and Electronic Documents Act (PIPEDA) Personal Information Protection and Electronic Documents Act (PIPEDA) |
||
Mexico | Circular Única de Seguros y Fianzas (CUSF) Circular Única de Seguros y Fianzas (CUSF) |
|
Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO) Ley General de Protección de Datos Personales en Posesión de sujetos Obligados (LGPDPPSO) |
||
Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB) Ley de Instituciones de Crédito (LIC) & Circular única de bancos (CUB) |
||
Ley del Mercado de Valores (LMV) Ley del Mercado de Valores (LMV) |
||
Ley Para Regular Las Instituciones De Tecnologia Financiera Ley Para Regular Las Instituciones De Tecnologia Financiera |
||
United States | California Consumer Privacy Act (CCPA) California Consumer Privacy Act (CCPA)
|
|
Criminal Justice Information Services Security Policy (CJIS) Criminal Justice Information Services Security Policy (CJIS) |
||
Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012 Defense Federal Acquisition Regulation Supplement (DFARS) Parts 7010 and 7012 |
||
Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool |
||
Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503 Intelligence Community (IC) Information Technology Systems Security Risk Management Directive 503 |
||
Internal Revenue Service (IRS) Publication 1075 Internal Revenue Service (IRS) Publication 1075 |
||
International Traffic in Arms Regulations (ITAR) International Traffic in Arms Regulations (ITAR) |
||
Minimum Acceptable Risk Standards for Exchanges (MARS-E) Minimum Acceptable Risk Standards for Exchanges (MARS-E) |
||
NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |
||
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) |
||
Securities and Exchange Commission (SEC Rule 17a-4(f)), Financial Industry Financial Authority (FINRA Rule 4511(c)), and Commodities Futures Trading Commission (CFTC Rule 1.31(c)-(d)) Electronic Records Retention Requirements |
||
Europe, Middle East, and Africa | European Union | Digital Operational Resilience Act (DORA) Digital Operational Resilience Act (DORA) |
Network and Information Security Directive II (NIS2) Network and Information Security Directive II (NIS2) |
||
European Banking Authority (EBA) Guidelines on Outsourcing Arrangements
European Banking Authority (EBA) Guidelines on Outsourcing Arrangements |
||
European Union Agency for Cybersecurity (ENISA) Cloud Computing Information Assurance Framework European Union Agency for Cybersecurity (ENISA) Cloud Computing Information Assurance Framework
|
||
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) |
||
Germany | BaFin Guidance on Outsourcing to Cloud Service Providers BaFin Guidance on Outsourcing to Cloud Service Providers |
|
IT Grundschutz
|
||
Kritische Infrastrukturen - Abschnitt 8a Kritische Infrastrukturen - Abschnitt 8a |
||
Kenya | Guidelines on Cybersecurity for Payment Service Providers Guidelines on Cybersecurity for Payment Service Providers |
|
Prudential Guidelines for Institutions Licensed under the Banking Act Prudential Guidelines for Institutions Licensed under the Banking Act |
||
Prudential Guideline on Outsourcing (CBK/PG/16)
Prudential Guideline on Outsourcing (CBK/PG/16) |
||
Kuwait | Cloud Computing Regulatory Framework (CITRA CCRF) Cloud Computing Regulatory Framework (CITRA CCRF) |
|
Netherlands | Government Information Security Baseline (BIO) Government Information Security Baseline (BIO) |
|
NEN 7510 Information Security Management in Healthcare NEN 7510 Information Security Management in Healthcare |
||
Wet op het financieel toezicht or Wft Wet op het financieel toezicht or Wft |
||
Norway | Forskrift om bruk av informasjons- og kommunikasjonsteknologi Forskrift om bruk av informasjons- og kommunikasjonsteknologi |
|
Veiledning om utkontraktering |
||
Saudi Arabia | National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) National Cybersecurity Authority (NCA) Essential Cybersecurity Controls (ECC) |
|
Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF)
Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF) |
||
Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing Saudi Arabian Monetary Authority (SAMA) Rules on Outsourcing |
||
South Africa |
Directive 159.A.i |
|
Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G5/2014) |
||
Office of the Registrar of Banks Outsourcing Functions within a Bank and Cyber Resilience Guidance Note 4 (G4/2017) |
||
Protection of Personal Information Act (POPIA) Protection of Personal Information Act (POPIA) |
||
Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018) Prudential Authority Cloud Computing and Offshoring of Data Directive 3 (D3/2018) |
||
Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018) Prudential Authority Cloud Computing and Offshoring of Data Guidance Note 5 (G5/2018) |
||
Spain |
Pinakes |
|
Switzerland | Financial Market Supervisory Authority (FINMA) Circular 2018/3
Financial Market Supervisory Authority (FINMA) Circular 2018/3 |
|
United Arab Emirates | United Arab Emirates (UAE) Federal Law No. 2 of 2019 United Arab Emirates (UAE) Federal Law No. 2 of 2019 |
|
United Kingdom | Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation) Commission Delegated Regulation (EU) 2015/35 (Solvency II Delegated Regulation) |
|
ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014 ESMA Markets in Financial Instruments Directive MiFID II and MiFIR 600/2014 |
||
Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance
Financial Conduct Authority’s (FCA) Handbook of Rules and Guidance |
||
National Cyber Security Centre IT Health Check (ITHC) National Cyber Security Centre IT Health Check (ITHC) |
||
Prudential Regulation Authority’s Supervisory Statement 2/21 (PRA SS2/21) on Outsourcing and Third-Party Risk Management |
||
UK Government G-Cloud Framework UK Government G-Cloud Framework |
||
UK National Cyber Security Centre (NCSC) Cloud Security Principles UK National Cyber Security Centre (NCSC) Cloud Security Principles |
||
UK NHS Data Security and Protection Toolkit (DSPT) UK NHS Data Security and Protection Toolkit (DSPT) |
||
Asia Pacific | Australia | Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231
Australian Prudential Regulation Authority (APRA) for Outsourcing: CPS 231, SPS 231 and HPS 231 |
Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 |
||
Hong Kong | Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1 Hong Kong Monetary Authority (HKMA) General Principles for Technology Risk Management TM-G-1 |
|
Hong Kong Monetary Authority (HKMA) Outsourcing SA-2 Hong Kong Monetary Authority (HKMA) Outsourcing SA-2 |
||
India | ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act ICAI Implementation Guide on Reporting under Rule 11(g) of Companies Act |
|
Insurance Regulatory and Development Authority of India (IRDAI) Regulation /5/142/2017, Outsourcing of Activities by Indian Insurers |
||
Reserve Bank of India (RBI) Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs) (2018) |
||
Reserve Bank of India (RBI) Cyber Security Framework in Banks safeguarding use of Information Technology (2016) |
||
Reserve Bank of India (RBI) Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds |
||
Reserve Bank of India (RBI) Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by banks (2006) |
||
Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015)
Securities and Exchange Board of India (SEBI) Circular on Outsourcing by Depositories (2015) |
||
Securities and Exchange Board of India (SEBI) Circular on Outsourcing of Activities by Stock Exchanges and Clearing Corporations (2017) |
||
Securities and Exchange Board of India (SEBI) Guidelines on Outsourcing of Activities by Intermediaries (2011) |
||
Japan | Financial Industry Information Systems (FISC) Security Guidelines Financial Industry Information Systems (FISC) Security Guidelines |
|
National Center of Incident Readiness and Strategy for Cybersecurity (NISC) National Center of Incident Readiness and Strategy for Cybersecurity (NISC) |
||
Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act Personal Information Protection Commission (PPC) Circular 2018/3: My Number Act |
||
Three Ministries Guidelines: Healthcare Sector Three Ministries Guidelines: Healthcare Sector
| ||
Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank Financial Services Agency (FSA) Comprehensive Guidelines for Supervision of Major Bank |
||
Malaysia | Risk Management in Technology (RMiT) Risk Management in Technology (RMiT) |
|
Singapore | Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide Association of Banks in Singapore (ABS) Cloud Computing Implementation Guide |
|
Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines
Monetary Authority of Singapore (MAS): Technology Risk Management (TRM) Guidelines |
||
Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655
Monetary Authority of Singapore (MAS) Cyber Hygiene Requirements Notice 655 |
||
South Korea | Financial Security Initiative (FSI) Cloud Guidelines Financial Security Initiative (FSI) Cloud Guidelines |
|
Thailand |
Bank of Thailand Regulation on IT Outsourcing for Business Operations of Financial Institutions (No. FPG. 19/2559) |
|
Rules, Conditions and Procedures for Outsourcing Function related to Business Operation to Third Party (No. Tor Thor. 60/2561) |