Page 1058 - Cloud computing: From paradigm to operation
P. 1058
7 Security
When an objective with controls, or a control under an objective from ISO/IEC 27002, is needed in addition
to those of ISO/IEC 27002, they are given in normative Annex A: Cloud service extended control set. When a
control of ISO/IEC 27002 or Annex A of this Recommendation | International Standard needs additional cloud
service specific implementation guidance related to the control, it is given under the subtitle
"Implementation guidance for cloud services". The guidance is provided in one of the following two types:
Type 1 is used when there is separate guidance for the cloud service customer and the cloud service provider.
Type 2 is used when the guidance is the same for both the cloud service customer and the cloud service
provider.
Type 1
Cloud service customer Cloud service provider
Type 2
Cloud service customer Cloud service provider
Additional information that might need to be considered is provided under the subtitle "Other information
for cloud services".
5 Information security policies
5.1 Management direction for information security
The objective specified in clause 5.1 of ISO/IEC 27002 applies.
5.1.1 Policies for information security
Control 5.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
An information security policy for cloud computing The cloud service provider should augment its
should be defined as a topic-specific policy of the cloud information security policy to address the provision and
service customer. The cloud service customer's use of its cloud services, taking the following into
information security policy for cloud computing should account:
be consistent with the organization's acceptable levels – the baseline information security requirements
of information security risks for its information and applicable to the design and implementation of the
other assets. cloud service;
When defining the information security policy for cloud – risks from authorized insiders;
computing, the cloud service customer should take the
– multi-tenancy and cloud service customer isolation
following into account:
(including virtualization);
– information stored in the cloud computing – access to cloud service customer assets by staff of
environment can be subject to access and the cloud service provider;
management by the cloud service provider;
– access control procedures, e.g., strong
– assets can be maintained in the cloud computing
authentication for administrative access to cloud
environment, e.g., application programs;
services;
– processes can run on a multi-tenant, virtualized cloud – communications to cloud service customers during
service; change management;
1050
