Skip to Main Content
Manage all your compliance documentation in one place | Access, customise and collaborate whenever, wherever and however you need | Shop toolkits
The EU Data Protection Code of Conduct for Cloud Service Providers – A guide to compliance

The EU Data Protection Code of Conduct for Cloud Service Providers – A guide to compliance

SKU: 5799
Authors: Alan Calder
Publishers: IT Governance Publishing
Format: Softcover
ISBN13: 9781787783423
Pages: 60
Published: 02 Nov 2021
Availability: Available now
Format: PDF
ISBN13: 9781787783430
Pages: 54
Published: 02 Nov 2021
Availability: Available now
Format: ePub
ISBN13: 9781787783447
Pages: 54
Published: 02 Nov 2021
Availability: Available now
Format: Kindle
ISBN13: 9781787783454
Pages: 54
Published: 02 Nov 2021
Availability: Available now
  • Introduces the concepts of the EU Data Protection Code of Conduct for Cloud Service Providers.
  • Explains the advantages of implementing the Code.
  • Explores various methods to achieve compliance, and discusses the certification process.
Price: £9.95

Formally founded in 2017, the EU Data Protection Code of Conduct for Cloud Service Providers (otherwise known as the EU Cloud Code of Conduct; the Code) is a voluntary code of conduct created specifically to support GDPR compliance within the B2B (business-to-business) Cloud industry. The EU Commission, the Article 29 Working Party (now the EDPB (European Data Protection Board)), the EU Directorate-General for Justice and Consumers, and Cloud-industry leaders have all contributed to its development, resulting in a robust framework that recognises the unique requirements of the Cloud industry.

Cloud providers must ensure that their services – which by design involve accessing and transferring data across the Internet, exposing it to far greater risk than data stored and processed within an organisation’s internal network – meet or exceed the GDPR’s requirements in order to provide the security and privacy that the market expects. Organisations can achieve this via compliance with the EU Cloud Code of Conduct.

The Code has already been adopted by major Cloud service organisations, including:

  • Microsoft
  • Oracle
  • Salesforce
  • IBM
  • Google Cloud
  • Dropbox
  • Alibaba Cloud

Public and business focus on information security and data protection continues to increase in the face of a constantly changing threat landscape and ever more stringent regulation, and compliance with initiatives such as the EU Cloud Code of Conduct demonstrates to current and potential customers that your organisation is taking data privacy seriously. It also strengthens your organisation’s approach to information security management, and defences against data breaches.

The EU Data Protection Code of Conduct for Cloud Service Providers provides guidance on how to implement the Code. It explores the Code’s objectives, and how compliance can be achieved with or without an ISMS (information security management system).

Begin your journey to EU Cloud Code of Conduct implementation with our compliance guide – buy this book today!

About the author

Alan Calder

Alan Calder founded IT Governance Ltd in 2002 and began working full time for the organisation in 2007. He is Group CEO of GRC International Group PLC, the AIM-listed company that owns IT Governance Ltd. Alan has held a number of roles, including CEO of Business Link London City Partners (a government agency focused on helping growing businesses to develop) from 1995 to 1998, CEO of Focus Central London (a training and enterprise council) from 1998 to 2001, and CEO of Wide Learning (a supplier of e-learning) from 2001 to 2003 and the Outsourced Training Company (2005). He was also chairman of CEME (a public–private-sector skills partnership) from 2006 to 2011.

Alan is an acknowledged international cyber security guru and a leading author on information security and IT governance issues. He has been involved in the development of a wide range of information security management training courses that have been accredited by IBITGQ (International Board for IT Governance Qualifications). Alan has consulted for clients in the UK and abroad and is a regular media commentator and speaker.

For information on Alan’s other publications, visit:

- free pdf download" class="img-responsive lazyload" data-original="" src="" />


For cyber security to be effective, you must implement the right solutions to protect your assets from cyber threats. This means understanding where your organisation is most vulnerable.

This free paper will teach you how to keep your business secure and safe from cyber attacks through penetration testing.

Download now

Types of penetration testing

Different types of pen testing will focus on various aspects of your organisation’s logical perimeter – the boundary that separates your network from the Internet.

Web application (software) penetration tests

Web application tests focus on vulnerabilities such as coding errors or software responding to certain requests in unintended ways.

These include:

  • Testing user authentication to verify that accounts cannot compromise data;
  • Assessing the web applications for flaws and vulnerabilities, such as XSS (cross-site scripting) or SQL injection;
  • Confirming the secure configuration of web browsers and identifying features that can cause vulnerabilities; and
  • Safeguarding database server and web server security.

Learn more about web application penetration testing

Infrastructure (network) penetration tests

Internal network penetration tests focus on what an attacker with inside access could achieve. An internal test will generally:

  • Test from the perspective of both an authenticated and non-authenticated user to assess potential exploits;
  • Assess vulnerabilities affecting systems that are accessible by authorised login IDs and that reside within the network; and
  • Check for misconfigurations that could allow employees to access information and inadvertently leak it online.

Learn more about internal network (infrastructure) penetration testing

External penetration tests identify and test security vulnerabilities that might allow attackers to gain access from outside the network. An external test will generally:

  • Identify vulnerabilities in the defined external infrastructure, such as file servers and web servers;
  • Check authentication processes to ensure there are appropriate mechanisms to confirm users’ identities;
  • Verify that data is being securely transferred; and
  • Check for misconfigurations that could allow information to be leaked.

Learn more about external network penetration testing

Social engineering penetration tests

As technical security measures improve, criminals increasingly use social engineering attacks such as phishing, pharming and BEC (business email compromise) to access target systems.

So, just as you should test your organisation’s technological vulnerabilities, you should also test your staff’s susceptibility to phishing and other social engineering attacks.

Learn more about social engineering penetration testing

Wireless network penetration tests

If you use wireless technology, such as Wi-Fi, you should also consider wireless network penetration tests.

These include:

  • Identifying Wi-Fi networks, including wireless fingerprinting, information leakage and signal leakage;
  • Determining encryption weaknesses, such as encryption cracking, wireless sniffing and session hijacking;
  • Identifying opportunities to penetrate a network by using wireless or evading WLAN access control measures; and
  • Identifying legitimate users’ identities and credentials to access otherwise private networks and services.

Learn more about wireless network penetration testing

Red team penetration testing

Red teaming is the most advanced level of penetration testing. It mimics the actions of a focused attacker, and uses any methods available to gain access to your networks, systems and information.

Penetration testers might copy common industry attacks or pursue an entirely bespoke attack vector. In some instances, depending on the scope of the engagement, the red team may attempt to gain physical access.

Attacks may be conducted in phases or on several fronts to identify any vulnerabilities that could be exploited by criminal hackers.

Any data exfiltration will be attempted over a secure channel to protect the information in transit. The testers will record the details of the attack, and which systems, tools or accounts were used.

At the end of the test, the red team will restore any systems to their initial states and provide a detailed report explaining your security risks and how to resolve them.

Learn more about red team assessments

Speak to an expert

For more information on how our CREST-accredited penetration testing services can help safeguard your organisation, call us now on 
+44 (0)333 800 7000, or request a call back using the form below. 

Get in touch

IT Governance’s penetration testing solutions

Our CREST-accredited penetration testing services have been developed to align with your business requirements, budget, and value you assign to the assets you intend to test.

Our proprietary security testing methodology is closely aligned with the SANS, OSSTMM (Open Source Security Testing Methodology Manual) and OWASP (Open Web Application Security Project) methodologies.

Level 1 penetration tests are suitable for organisations that want to identify the common exploitable weaknesses targeted by opportunistic attackers using freely available, automated attack tools. They are an off-the-shelf option with fixed constraints and are priced by scale, according to factors such as the number of IP addresses in scope.

Level 2 penetration tests are aimed at those with more complex objectives, or who require a more detailed exploration of complex or sensitive environments. They are designed according to clients’ individual needs following scoping.

Read more about our penetration testing services here, follow the links below or contact us today to discuss your penetration testing needs.

Customer Reviews

This website uses cookies. View our cookie policy
WIN £100