The partner should be able to clearly show which regulations are fulfilled and for which customer these are relevant. He should be able to clarify the necessary requirements together with the customer.
For many companies, the topic of compliance is a closed book. They tend to shy away from it because compliance is only associated with costs in the first place.
The partner should be able to clearly show where the costs are worthwhile, where the responsibility lies with the provider and where with the customer. For example, even large companies delegate part of the responsibility to the customer, and various certifications apply only to basic services. The customer must then single-handedly ensure that the architecture and processes (e.g., encryption and key management) meet the requirements.
One example is AWS's "shared responsibility model". In any case, what the ratios are must be verified before working with any vendor.
ISO/IEC 27001: This standard specifies the requirements for establishing, implementing, maintaining and continuously improving a documented information security management system. The bottom line is that the partner has documented and audited processes to professionally manage security within the company - for itself and its customers.
This tool is central to demonstrating that a company is professionally managed. However, it is also not the "silver bullet" in the security environment, as it is rarely pointed out that there is a certain freedom of choice in the composition of the criteria fulfilled.
FINMA certification (FINMA-RS 08/7, RS 08/21 and RS 18/3): Many a provider talks about a Finma certification. But there is no such thing, because Finma only issues recommendations. Nevertheless, it is important for cloud providers who have partners in the financial industry to show that they take these recommendations into account (e.g., ISAE 3400 or SOC II Report).
GDPR: The European Union's (EU) General Data Protection Regulation (GDPR) has been in effect since 2018. The new regulations give citizens more control over their personal data. The regulation also has significance for Swiss companies:
- If they operate a branch in an EU country.
- If they offer goods or services in the EU (e.g. via an online store).
- If a person residing in a member state of the EU, regardless of their nationality or place of residence, is directly affected by data processing.
Data Protection Act (nDSG): The Swiss Data Protection Act is currently being revised. The new Data Protection Act (nDSG) is scheduled to come into force on September 1, 2023. In large parts, there will be an approximation to the European GDPR.
This means that the requirements will be stricter and personal penalties of up to CHF 250,000 will be introduced for non-compliance. Thus, data protection will now become increasingly relevant, even if the company only works in Switzerland with Swiss customers.
swiss hosting (full disclosure: this is a product of swiss made software): The question "Where is the data located?" is becoming increasingly important for many companies - for reasons of security, but also compliance. It is often claimed that the data location Switzerland is sufficient. However, it is underestimated that it is just as important who can access the data from where and under what circumstances.
An obvious example is the CLOUD Act: US authorities are always allowed to access any data, no matter in whose territory it is stored. swiss hosting shows where there is no automatic access by third countries.