Page 1063 - Cloud computing: From paradigm to operation
P. 1063
Security 7
Other information for cloud services
There are cloud service applications that provide functions for managing information by adding cloud service
derived data to the cloud service customer data. Identifying such cloud service derived data as assets and
maintaining them in the inventory of assets can contribute to improving information security.
8.1.2 Ownership of assets
Control 8.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
Other information for cloud services
The ownership of assets will likely vary depending on the category of the cloud service being used. Application
software will belong to the cloud service customer when using a platform as a service (PaaS) or infrastructure
as a service (IaaS) service, whereas for a software as a service (SaaS) service, the application software will
belong to the cloud service provider.
8.1.3 The acceptable use of assets
Control 8.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
8.1.4 Return of assets
Control 8.1.4 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
8.2 Information classification
The objective specified in clause 8.2 of ISO/IEC 27002 applies.
8.2.1 Classification of information
Control 8.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
8.2.2 Labelling of information
Control 8.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should label information The cloud service provider should document and
and associated assets maintained in the cloud disclose any service functionality it provides allowing
computing environment in accordance with the cloud cloud service customers to classify and label their
service customer's adopted procedures for labelling. information and associated assets.
Where applicable, functionality provided by the cloud
service provider that supports labelling can be adopted.
8.2.3 Handling of assets
Control 8.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply.
8.3 Media handling
The objective specified in clause 8.3 of ISO/IEC 27002 applies.
1055