BS ISO IEC 27017:2015 pdf free download – Information technology – Security techniques – Codeof practice for informationsecurity controls based on ISO/IEC 27002 for cloud services

02-09-2022 comment

BS ISO IEC 27017:2015 pdf free download – Information technology – Security techniques – Codeof practice for informationsecurity controls based on ISO/IEC 27002 for cloud services
4.1Overview
The use of cloud computing has changed how organizations should assess and mitigate information security risks becauseof the significant changes in how computing resources are technically designed,operated and governed. ThisRecommendation / International Standard provides additional cloud-specific implementation guidance based onISO/IEC 27002 and provides additional controls to address cloud-specific information security threats and risksconsiderations.
Users of this Recommendation | International Standard should refer to clauses 5 to 18 in ISO/IEC 27002 for controls,implementation guidance and other information.Because of the general applicability of ISO/IEC 27002, many of thecontrols, implementation guidance and other information apply to both the general and cloud computing contexts of anorganization.For example, “6.1.2 Segregation of duties” of ISOIEC27002 provides a control that can be applied whetherthe organization is acting as a cloud service provider or not.Additionally, a cloud service customer can deriverequirements for segregation of duties in the cloud environment from the same control, .g., segregating the cloud servicecustomers’cloud service administrators and cloud service users.
As an extension to ISO/IEC 27002, this Recommendation | International Standard further provides cloud service specificcontrols,implementation guidance and other information (see clause 4.5) that are intended to mitigate the risks thataccompany the technical and operational features of cloud services (see Annex B).The cloud service customers and thecloud service providers can refer to ISO/IEC 27002 and this Recommendation / International Standard to select controlswith the implementation guidance, and add other controls if necessary. This process can be done by performing aninformation security risk assessment and risk treatment in the organizational and business context where cloud servicesare used or provided (see clause 4.4).
4.2Supplier relationships in cloud services
ISO/IEC 27002 clause 15 “Supplicr relationships” provides controls, implementation guidance and other information formanaging information security in supplier relationships. The provision and use of cloud services is a kind of supplierrelationship, where the cloud service customer is an acquirer, and the cloud service provider is a supplier. Therefore, theclause applies to cloud service customers and cloud service providers.
Cloud service customers and cloud service providers can also form a supply chain.Suppose that a cloud service providerprovides an infrastructure capabilities type service. In addition, another cloud service provider can provide an applicationcapabilities type service. In this case, the second cloud service provider is a cloud service customer with respect to thefirst, and a cloud service provider with respect to the cloud service customer using its service.This example illustratesthe case where this Recommendation / International Standard applies to an organization both as a cloud service customerand as a cloud service provider. Because cloud service customers and cloud service providers form a supply chain throughthe design and implementation of the cloud service(s), clause “15.1.3 Information and communication fechnology supplychain” of ISO/IEC 27002 applies.
4.3 Relationships between cloud service customers and cloud service providers
In the cloud computing environment, cloud service customer data is stored, transmitted and processed by a cloud service.Therefore, a cloud service customer’s business processes can depend upon the information security of the cloud service.Without sufficient control over the cloud service, the cloud service customer might need to take extra precautions withits information security practices.
Before entering into a supplier relationship, the cloud service customer needs to select a cloud service, taking into accountthe possible gaps between the cloud service customer’s information security requirements and the information securitycapabilities offered by the service. Once a cloud service is selected, the cloud service customer should manage the use ofthe cloud service in such a way as to meet its information security requirements. In this relationship, the cloud serviceprovider should provide the information and technical support that are necessary to meet the cloud service customer’sinformation security requirements. When the information security controls provided by the cloud service provider arepreset and cannot be changed by the cloud service customer, the cloud service customer may need to implement additionalcontrols of its own to mitigate risks.

Main Focus Download

LEAVE A REPLY

Anonymous netizen Fill in information