Page 1083 - Cloud computing: From paradigm to operation
P. 1083

Security                                                   7


                                                        Annex A


                                        Cloud service extended control set
                      (This annex forms an integral part of this Recommendation | International Standard.)


            This annex provides additional control objectives, controls and implementation guidance as an extended
            control set for cloud services. ISO/IEC 27002 control objectives related to these controls are not repeated.

            An organization intending to implement these controls in an information security management system (ISMS)
            that is to be conformant to ISO/IEC 27001, should extend its statement of applicability (SOA) by including the
            controls stated in this annex.

            CLD.6.3  Relationship between cloud service customer and cloud service provider
             Objective: To clarify the relationship regarding shared roles and responsibilities between the cloud service
             customer and the cloud service provider for information security management.

            CLD.6.3.1   Shared roles and responsibilities within a cloud computing environment
            Control

            Responsibilities for shared information security roles in the use of the cloud service should be allocated to
            identified parties, documented, communicated and implemented by both the cloud service customer and
            the cloud service provider.

            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider
             The cloud service customer should define or extend its   The cloud service provider should document and
             existing policies and procedures in accordance with its   communicate its information security capabilities, roles,
             use of cloud services, and make cloud service users   and responsibilities for the use of its cloud service, along
             aware of their roles and responsibilities in the use of the  with the information security roles and responsibilities
             cloud service.                                   for which the cloud service customer would need to
                                                              implement and manage as part of its use of the cloud
                                                              service.
            Other information for cloud services

            In cloud computing, roles and responsibilities are typically divided between employees of the cloud service
            customer and employees of the cloud service provider. The allocation of roles and responsibilities should
            take into consideration the cloud service customer data and the cloud service customer applications for
            which the cloud service provider is a custodian.
            CLD.8.1  Responsibility for assets

            The objective specified in clause 8.1 of ISO/IEC 27002 applies.

            CLD.8.1.5   Removal of cloud service customer assets
            Control

            Assets of the cloud service customer that are on the cloud service provider's premises should be removed,
            and returned if necessary, in a timely manner upon termination of the cloud service agreement.












                                                                                                        1075
   1078   1079   1080   1081   1082   1083   1084   1085   1086   1087   1088