Page 1077 - Cloud computing: From paradigm to operation
P. 1077
Security 7
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should include the cloud (no additional implementation guidance)
service provider as a type of supplier in its information
security policy for supplier relationships. This will help
to mitigate risks associated with the cloud service
provider's access to and management of the cloud
service customer data.
15.1.2 Addressing security within supplier agreements
Control 15.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
The cloud service customer should confirm the The cloud service provider should specify as part of an
information security roles and responsibilities relating to agreement the relevant information security measures
the cloud service, as described in the service agreement. that the cloud service provider will implement to ensure
These can include the following processes: no misunderstanding between the cloud service
– malware protection; provider and cloud service customer.
– backup; The relevant information security measures that the
cloud service provider will implement can vary based on
– cryptographic controls;
the type of cloud service the cloud service customer is
– vulnerability management;
using.
– incident management;
– technical compliance checking;
– security testing;
– auditing;
– collection, maintenance and protection of evidence,
including logs and audit trails;
– protection of information upon termination of the
service agreement;
– authentication and access control;
– identity and access management.
15.1.3 Information and communication technology supply chain
Control 15.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
apply. The following sector-specific guidance also applies.
Implementation guidance for cloud services
Cloud service customer Cloud service provider
(no additional implementation guidance) If a cloud service provider uses cloud services of peer
cloud service providers, the cloud service provider
should ensure information security levels to its own
cloud service customers are maintained or exceeded.
When the cloud service provider provides cloud services
based on a supply chain, the cloud service provider
should provide information security objectives to
suppliers, and request each of the suppliers to perform
risk management activities to achieve the objectives.
1069
