Page 1082 - Cloud computing: From paradigm to operation
P. 1082

7                                                     Security


            18.2    Information security reviews

            The objective specified in clause 18.2 of ISO/IEC 27002 applies.
            18.2.1  Independent review of information security

            Control 18.2.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.
            Implementation guidance for cloud services

                          Cloud service customer                           Cloud service provider

             The cloud service customer should request documented   The cloud service provider should provide documented
             evidence that the implementation of information   evidence to the cloud service customer to substantiate
             security controls and guidelines for the cloud service is   its claim of implementing information security controls.
             in line with any claims made by the cloud service   Where individual cloud service customer audits are
             provider. Such evidence could include certifications   impractical or can increase risks to information security,
             against relevant standards.                      the cloud service provider should provide independent
                                                              evidence that information security is implemented and
                                                              operated in accordance with the cloud service
                                                              provider's policies and procedures. This should be made
                                                              available to prospective cloud service customers prior
                                                              to entering a contract. A relevant independent audit as
                                                              selected by the cloud service provider should normally
                                                              be an acceptable method for fulfilling the cloud service
                                                              customer's interest in reviewing the cloud service
                                                              provider's operations, provided sufficient transparency
                                                              is provided. When the independent audit is impractical,
                                                              the cloud service provider should conduct a self-
                                                              assessment, and disclose its process and results to the
                                                              cloud service customer.

            18.2.2  Compliance with security policies and standards

            Control 18.2.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            18.2.3  Technical compliance review
            Control 18.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.































            1074
   1077   1078   1079   1080   1081   1082   1083   1084   1085   1086   1087