Table of Contents

 1     Scope          
 2     Normative references          
        2.1     Identical Recommendations | International Standards
        2.2     Additional References               
 3     Definitions and abbreviations           
        3.1     Terms defined elsewhere        
        3.2     Abbreviations
 4     Cloud sector-specific concepts         
        4.1     Overview        
        4.2     Supplier relationships in cloud services              
        4.3     Relationships between cloud service customers and cloud service providers   
        4.4     Managing information security risks in cloud services  
        4.5     Structure of this standard        
 5     Information security policies             
        5.1     Management direction for information security            
 6     Organization of information security              
        6.1     Internal organization  
        6.2     Mobile devices and teleworking           
 7     Human resource security    
        7.1     Prior to employment  
        7.2     During employment   
        7.3     Termination and change of employment          
 8     Asset management               
        8.1     Responsibility for assets           
        8.2     Information classification         
        8.3     Media handling             
 9     Access control          
        9.1     Business requirements of access control           
        9.2     User access management        
        9.3     User responsibilities   
        9.4     System and application access control
10     Cryptography          
       10.1     Cryptographic controls             
11     Physical and environmental security             
       11.1     Secure areas 
       11.2     Equipment    
12     Operations security              
       12.1     Operational procedures and responsibilities  
       12.2     Protection from malware        
       12.3     Backup            
       12.4     Logging and monitoring           
       12.5     Control of operational software           
       12.6     Technical vulnerability management  
       12.7     Information systems audit considerations       
13     Communications security  
       13.1     Network security management           
       13.2     Information transfer 
14     System acquisition, development and maintenance             
       14.1     Security requirements of information systems             
       14.2     Security in development and support processes          
       14.3     Test data        
15     Supplier relationships          
       15.1     Information security in supplier relationships
       15.2     Supplier service delivery management             
16     Information security incident management              
       16.1     Management of information security incidents and improvements     
17     Information security aspects of business continuity management  
       17.1     Information security continuity            
       17.2     Redundancies              
18     Compliance              
       18.1     Compliance with legal and contractual requirements 
       18.2     Information security reviews
Annex A – Cloud service extended control set    
Annex B – References on information security risk related to cloud computing    
Bibliography