opexxx/ISO 27002 for cloud services

## ISO 27002 for cloud services
Code of practice for information security controls based on ISO/IEC 27002 for cloud services
Note: Only those controls that are listed in the ISO/IEC 27017 standard that apply to Cloud Service Customers (CSCs) are shown here.

 AREA/SECTION	SUB-SECTION	ISO/IEC 27017 CSC REQUIREMENTS

A.5 Information security policies
A.5.1 Management direction for information security
A.5.1.1 Policies for information security	Is there an information security policy for cloud computing?
Does the policy consider the specific risks associated with using cloud services?


A.6 Organization of information security
A.6.1 Internal organization
A.6.1.1 Information security roles and responsibilities	Are the roles and responsibilities concerned with the security of the cloud service agreed between the CSC and the CSP and documented, including the interface with the CSP support function?
A.6.1.3 Contact with authorities	Are all of the authorities relevant to both the CSC and the CSP identified?
CLD.6.3 Relationship between cloud service customer and cloud service provider
CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment	Are cloud service users aware of their roles and responsibilities in using each cloud service?


A.7 Human resources security
A.7.2 During employment
A.7.2.2 Information security awareness, education and training	Do awareness training efforts include the specifi risks and issues to do with the use of cloud services?


A.8 Asset management
A.8.1 Responsibility for assets
A.8.1.1 Inventory of assets	Are information assets stored in the cloud included on the asset inventory?
CLD.8.1.5 Removal of cloud service customer assets	When terminating a cloud service, is the process clear and documented and does it cover all of the assets involved?
A.8.2 Information classification
A.8.2.2 Labelling of information	Are assets stored in the cloud appropriately labelled?


A.9 Access control
A.9.1 Business requirements of access control
A.9.1.2 Access to networks and network services	Does the access control policy address the specifics of access to each cloud service?
A.9.2 User access management
A.9.2.3 Management of privileged access rights	Are appropriate authentication methods used for administrators of the cloud service e.g. multi-factor?
A.9.2.4 Management of secret authentication information of users	Are the authentication methods provided by the CSP sufficient for administrative access?
A.9.4 System and application access control
A.9.4.1 Information access restriction	Is access to information in the cloud consistent with the access control policy?
A.9.4.4 Use of privileged utility programs	Has the use of any utility programs been identified and agreed with the CSP?
CLD.9.5 Access control of cloud service customer data in shared virtual environment
CLD.9.5.2 Virtual machine hardening	Are effective procedures in place for hardening of virtual machines?


A.10 Cryptography
A.10.1 Cryptographic controls
A.10.1.1 Policy on the use of cryptographic controls	Are appropriate cryptographic controls in place to protect data at rest and in transit to and from the cloud?
A.10.1.2 Key management	Are key management procedures clear for each cloud service?


A.11 Physical and environmental security
A.11.2 Equipment
A.11.2.7 Secure disposal or reuse of equipment	Have the policies and procedures used by the CSP for disposal and reuse been confirmed?


A.12 Operations security
A.12.1 Operational procedures and responsibilities
A.12.1.2 Change management	Are changes made by the CSP catered for within change management?
A.12.1.3 Capacity management	Does capacity planning extend to cloud services?
CLD.12.1.5 Administrator's operational security	Are critical operations documented and adequately monitored?
A.12.3 Backup
A.12.3.1 Information backup	Have the backup facilities provided by the CSP been confirmed?
A.12.4 Logging and monitoring
A.12.4.1 Event logging	Are event logging requirements met by all cloud services?
A.12.4.3 Administrator and operator logs	Are the facilities provided by the CSP adequate to allow effective logging of administrator and operator activities?
A.12.4.4 Clock synchronisation	Has the method and source of time synchronisation been obtained from the CSP?
CLD.12.4.5 Monitoring of cloud services	Have the available monitoring facilities been confirmed?
A.12.6 Technical vulnerability management
A.12.6.1 Management of technical vulnerabilities	Has the split of responsibilities for managing vulnerabilities been agreed?


A.13 Communications security
A.13.1 Network security management
A.13.1.3 Segregation in networks	Are requirements for effective separation in a multi-tenanted environment met by the CSP?


A.14 System acquisition, development and maintenance
A.14.1 Security requirements of information systems
A.14.1.1 Information security requirements analysis and specification	Are informatioin security requirements for each cloud service defined?
A.14.2 Security in development and support processes
A.14.2.1 Secure development policy	Is information about how the CSP performs secure development available?


A.15 Supplier relationships
A.15.1 Information security in supplier relationships
A.15.1.1 Information security policy for supplier relationships	Is a CSP defined as a type of supplier for supplier management and risk assessment purposes?
A.15.1.2 Addressing security within supplier agreements	Are the information security responsibilities of both parties clear from the cloud service agreement?


A.16 Information security incident management
A.16.1 Management of information security incidents and improvements
A.16.1.1 Responsibilities and procedures	Are roles and responsibilities for incident management clear between the CSC and CSP?
A.16.1.2 Reporting information security events	Are procedures for reporting and tracking events defined adequately?
A.16.1.7 Collection of evidence	Are procedures relating to the preservation of digital evidence defined and agreed?


A.17 Information security aspects of business continuity management


A.18 Compliance
A.18.1 Compliance with legal and contractual requirements
A.18.1.1 Identification of applicable legislation and contractual requirements	Have the requirements affecting both the CSC and the CSP been identified and has the CSP provided evidence of the necessary compliance?
A.18.1.2 Intellectual property rights	Are licensing issues regarding the use of software in a cloud environment identified and addressed?
A.18.1.3 Protection of records	Is information available from the CSP regarding the collection and protection of records concerning the CSC's use of the service?
A.18.1.5 Regulation of cryptographic controls	Has it been verified that the use of cryptographic controls in the cloud service complies with all relevant regulations?
A.18.2 Information security reviews
A.18.2.1 Independent review of information security	Has evidence been provided by the CSP that the information security controls stated are in place e.g. audit reports, certifications?
	Code of practice for information security controls based on ISO/IEC 27002 for cloud services
	Note: Only those controls that are listed in the ISO/IEC 27017 standard that apply to Cloud Service Customers (CSCs) are shown here.

	AREA/SECTION SUB-SECTION ISO/IEC 27017 CSC REQUIREMENTS

	A.5 Information security policies
	A.5.1 Management direction for information security
	A.5.1.1 Policies for information security Is there an information security policy for cloud computing?
	Does the policy consider the specific risks associated with using cloud services?



	A.6 Organization of information security
	A.6.1 Internal organization
	A.6.1.1 Information security roles and responsibilities Are the roles and responsibilities concerned with the security of the cloud service agreed between the CSC and the CSP and documented, including the interface with the CSP support function?
	A.6.1.3 Contact with authorities Are all of the authorities relevant to both the CSC and the CSP identified?
	CLD.6.3 Relationship between cloud service customer and cloud service provider
	CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment Are cloud service users aware of their roles and responsibilities in using each cloud service?



	A.7 Human resources security
	A.7.2 During employment
	A.7.2.2 Information security awareness, education and training Do awareness training efforts include the specifi risks and issues to do with the use of cloud services?



	A.8 Asset management
	A.8.1 Responsibility for assets
	A.8.1.1 Inventory of assets Are information assets stored in the cloud included on the asset inventory?
	CLD.8.1.5 Removal of cloud service customer assets When terminating a cloud service, is the process clear and documented and does it cover all of the assets involved?
	A.8.2 Information classification
	A.8.2.2 Labelling of information Are assets stored in the cloud appropriately labelled?



	A.9 Access control
	A.9.1 Business requirements of access control
	A.9.1.2 Access to networks and network services Does the access control policy address the specifics of access to each cloud service?
	A.9.2 User access management
	A.9.2.3 Management of privileged access rights Are appropriate authentication methods used for administrators of the cloud service e.g. multi-factor?
	A.9.2.4 Management of secret authentication information of users Are the authentication methods provided by the CSP sufficient for administrative access?
	A.9.4 System and application access control
	A.9.4.1 Information access restriction Is access to information in the cloud consistent with the access control policy?
	A.9.4.4 Use of privileged utility programs Has the use of any utility programs been identified and agreed with the CSP?
	CLD.9.5 Access control of cloud service customer data in shared virtual environment
	CLD.9.5.2 Virtual machine hardening Are effective procedures in place for hardening of virtual machines?



	A.10 Cryptography
	A.10.1 Cryptographic controls
	A.10.1.1 Policy on the use of cryptographic controls Are appropriate cryptographic controls in place to protect data at rest and in transit to and from the cloud?
	A.10.1.2 Key management Are key management procedures clear for each cloud service?



	A.11 Physical and environmental security
	A.11.2 Equipment
	A.11.2.7 Secure disposal or reuse of equipment Have the policies and procedures used by the CSP for disposal and reuse been confirmed?



	A.12 Operations security
	A.12.1 Operational procedures and responsibilities
	A.12.1.2 Change management Are changes made by the CSP catered for within change management?
	A.12.1.3 Capacity management Does capacity planning extend to cloud services?
	CLD.12.1.5 Administrator's operational security Are critical operations documented and adequately monitored?
	A.12.3 Backup
	A.12.3.1 Information backup Have the backup facilities provided by the CSP been confirmed?
	A.12.4 Logging and monitoring
	A.12.4.1 Event logging Are event logging requirements met by all cloud services?
	A.12.4.3 Administrator and operator logs Are the facilities provided by the CSP adequate to allow effective logging of administrator and operator activities?
	A.12.4.4 Clock synchronisation Has the method and source of time synchronisation been obtained from the CSP?
	CLD.12.4.5 Monitoring of cloud services Have the available monitoring facilities been confirmed?
	A.12.6 Technical vulnerability management
	A.12.6.1 Management of technical vulnerabilities Has the split of responsibilities for managing vulnerabilities been agreed?



	A.13 Communications security
	A.13.1 Network security management
	A.13.1.3 Segregation in networks Are requirements for effective separation in a multi-tenanted environment met by the CSP?



	A.14 System acquisition, development and maintenance
	A.14.1 Security requirements of information systems
	A.14.1.1 Information security requirements analysis and specification Are informatioin security requirements for each cloud service defined?
	A.14.2 Security in development and support processes
	A.14.2.1 Secure development policy Is information about how the CSP performs secure development available?



	A.15 Supplier relationships
	A.15.1 Information security in supplier relationships
	A.15.1.1 Information security policy for supplier relationships Is a CSP defined as a type of supplier for supplier management and risk assessment purposes?
	A.15.1.2 Addressing security within supplier agreements Are the information security responsibilities of both parties clear from the cloud service agreement?



	A.16 Information security incident management
	A.16.1 Management of information security incidents and improvements
	A.16.1.1 Responsibilities and procedures Are roles and responsibilities for incident management clear between the CSC and CSP?
	A.16.1.2 Reporting information security events Are procedures for reporting and tracking events defined adequately?
	A.16.1.7 Collection of evidence Are procedures relating to the preservation of digital evidence defined and agreed?



	A.17 Information security aspects of business continuity management



	A.18 Compliance
	A.18.1 Compliance with legal and contractual requirements
	A.18.1.1 Identification of applicable legislation and contractual requirements Have the requirements affecting both the CSC and the CSP been identified and has the CSP provided evidence of the necessary compliance?
	A.18.1.2 Intellectual property rights Are licensing issues regarding the use of software in a cloud environment identified and addressed?
	A.18.1.3 Protection of records Is information available from the CSP regarding the collection and protection of records concerning the CSC's use of the service?
	A.18.1.5 Regulation of cryptographic controls Has it been verified that the use of cryptographic controls in the cloud service complies with all relevant regulations?
	A.18.2 Information security reviews
	A.18.2.1 Independent review of information security Has evidence been provided by the CSP that the information security controls stated are in place e.g. audit reports, certifications?