Security                                                   7




            1       Scope
            This Recommendation | International Standard gives guidelines for information security controls applicable
            to the provision and use of cloud services by providing:
            –       additional implementation guidance for relevant controls specified in ISO/IEC 27002;
            –       additional controls with implementation guidance that specifically relate to cloud services.
            This Recommendation | International Standard provides controls and implementation guidance for both
            cloud service providers and cloud service customers.


            2       Normative references
            The following Recommendations and International Standards contain provisions which, through reference in
            this text, constitute provisions of this Recommendation | International Standard. At the time of publication,
            the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to
            agreements  based on  this  Recommendation  |  International  Standard  are  encouraged  to  investigate  the
            possibility  of  applying  the  most  recent  edition  of  the  Recommendations  and  Standards  listed  below.
            Members  of  IEC  and  ISO  maintain  registers  of  currently  valid  International  Standards.  The
            Telecommunication  Standardization  Bureau  of  the  ITU  maintains  a  list  of  currently  valid  ITU-T
            Recommendations.


            2.1     Identical Recommendations | International Standards
            –       Recommendation ITU-T Y.3500 (in force) | ISO/IEC 17788: (in force), Information technology – Cloud
                    computing – Overview and vocabulary.

            –       Recommendation ITU-T Y.3502 (in force) | ISO/IEC 17789: (in force), Information technology – Cloud
                    computing – Reference architecture.

            2.2     Additional References
            –       ISO/IEC  27000:  (in  force),  Information  technology  –  Security  techniques  –  Information  security
                    management systems – Overview and vocabulary.
            –       ISO/IEC 27002:2013, Information technology – Security techniques – Code of practice for information
                    security controls.


            3       Definitions and abbreviations

            3.1     Terms defined elsewhere

            For the purposes of this Recommendation | International Standard, the terms and definitions given in ISO/IEC
            27000, Rec. ITU-T Y.3500 | ISO/IEC 17788, Rec. ITU-T Y.3502 | ISO/IEC 17789 and the following definitions
            apply:
            3.1.1   The following term is defined in ISO 19440:

            –       capability: Quality of being able to perform a given activity.
            3.1.2   The following terms are defined in ISO/IEC 27040:
            –       data breach: Compromise of security that leads to the accidental or unlawful destruction, loss,
                    alteration, unauthorized disclosure of, or access to protected data transmitted, stored, or otherwise
                    processed.
            –       secure  multi-tenancy:  Type  of  multi-tenancy  that  employs  security  controls  to  explicitly  guard
                    against data breaches and provides validation of these controls for proper governance.
                        NOTE 1 – Secure multi-tenancy exists when the risk profile of an individual tenant is no greater than it would be in a
                        dedicated, single-tenant environment.
                        NOTE 2 – In very secure environments, even the identity of the tenants is kept secret.


                                                                                                        1047