Page 1057 - Cloud computing: From paradigm to operation
P. 1057
Security 7
is a cloud service customer with respect to the first, and a cloud service provider with respect to the cloud
service customer using its service. This example illustrates the case where this Recommendation |
International Standard applies to an organization both as a cloud service customer and as a cloud service
provider. Because cloud service customers and cloud service providers form a supply chain through the
design and implementation of the cloud service(s), clause "15.1.3 Information and communication
technology supply chain" of ISO/IEC 27002 applies.
The multi-part International Standard ISO/IEC 27036, "Information security for supplier relationships",
provides detailed guidance on the information security in supplier relationships to the acquirer and supplier
of products and services. ISO/IEC 27036 Part 4 deals directly with the security of cloud services in supplier
relationships. This standard is also applicable to cloud service customers as acquirers and cloud service
providers as suppliers.
4.3 Relationships between cloud service customers and cloud service providers
In the cloud computing environment, cloud service customer data is stored, transmitted and processed by a
cloud service. Therefore, a cloud service customer's business processes can depend upon the information
security of the cloud service. Without sufficient control over the cloud service, the cloud service customer
might need to take extra precautions with its information security practices.
Before entering into a supplier relationship, the cloud service customer needs to select a cloud service, taking
into account the possible gaps between the cloud service customer's information security requirements and
the information security capabilities offered by the service. Once a cloud service is selected, the cloud service
customer should manage the use of the cloud service in such a way as to meet its information security
requirements. In this relationship, the cloud service provider should provide the information and technical
support that are necessary to meet the cloud service customer's information security requirements. When
the information security controls provided by the cloud service provider are preset and cannot be changed
by the cloud service customer, the cloud service customer may need to implement additional controls of its
own to mitigate risks.
4.4 Managing information security risks in cloud services
Cloud service customers and cloud service providers should both have information security risk management
processes in place. They are advised to refer to ISO/IEC 27001 for the requirements to conduct risk
management in their information security management systems, and to refer to ISO/IEC 27005 for further
guidance on information security risk management itself. ISO 31000, to which ISO/IEC 27001 and ISO/IEC
27005 conform, can also help general understanding of risk management.
In contrast to the general applicability of the information security risk management processes, cloud
computing has its own types of risk sources, including threats and vulnerabilities, which are derived from its
features, e.g., networking, scalability and elasticity of the system, resource sharing, self-service provisioning,
administration on-demand, cross-jurisdictional service provisioning, and limited visibility into the
implementation of controls. Annex B provides references that give information on these risk sources and
associated risks in the provision and use of cloud services.
The controls and implementation guidance given in clauses 5 to 18 and Annex A of this Recommendation |
International Standard address cloud computing specific risk sources and risks.
4.5 Structure of this standard
This Recommendation | International Standard is structured in a format similar to ISO/IEC 27002. This
Recommendation | International Standard includes clauses 5 to 18 of ISO/IEC 27002 by stating the
applicability of its texts at each clause and paragraph.
When objectives and controls specified in ISO/IEC 27002 are applicable without a need for any additional
information, only a reference to ISO/IEC 27002 is provided.
1049