Page 1080 - Cloud computing: From paradigm to operation
P. 1080

7                                                     Security


            17      Information security aspects of business continuity management

            17.1    Information security continuity

            The objective specified in clause 17.1 of ISO/IEC 27002 applies.

            17.1.1  Planning information security continuity
            Control 17.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply.

            17.1.2  Implementing information security continuity
            Control 17.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply.

            17.1.3  Verify, review and evaluate information security continuity
            Control 17.1.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply.


            17.2    Redundancies
            The objective specified in clause 17.2 of ISO/IEC 27002 applies.

            17.2.1  Availability of information processing facilities
            Control 17.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply.


            18      Compliance

            18.1    Compliance with legal and contractual requirements
            The objective specified in clause 18.1 of ISO/IEC 27002 applies.

            18.1.1  Identification of applicable legislation and contractual requirements

            Control 18.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.

            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             The cloud service customer should consider the issue   The cloud service provider should inform the cloud
             that relevant laws and regulations can be those of   service customer of the legal jurisdictions governing the
             jurisdictions governing the cloud service provider, in   cloud service.
             addition to those governing the cloud service customer.   The cloud service provider should identify its own
             The cloud service customer should request evidence of   relevant legal requirements (e.g., regarding encryption
             the cloud service provider's compliance with relevant   to protect personally identifiable information (PII)) This
             regulations and standards required for the cloud service   information should also be provided to the cloud service
             customer's business. Such evidence can be the    customer when requested.
             certifications produced by third-party auditors.   The cloud service provider should provide the cloud
                                                              service customer with evidence of its current
                                                              compliance with applicable legislation and contractual
                                                              requirements.

            Other information for cloud services
            The  legal  and  regulatory  requirements  that  apply  to  the  provision  and  use  of  cloud  services  should  be
            identified,  particularly where  the  processing,  storage  and  communication  capabilities  are  geographically
            distributed and multiple jurisdictions can be involved.

            It is important to note that compliance requirements, whether legal or contractual, remain the responsibility
            of  the  cloud  service  customer.  Compliance  responsibilities  cannot  be  transferred  to  the  cloud  service
            provider.



            1072
   1075   1076   1077   1078   1079   1080   1081   1082   1083   1084   1085