Risk Assessment and Risk Treatment Methodology-Cloud
Please see attached documents received as a reference received from Advisera. I’m looking at the document “Risk Assessment and Risk Treatment Methodology-Cloud”, however this document does not mention ISO 27017 for cloud environments. Will you please send us the correct documentation? I’m also looking at the specific requirements covered in each document in its own section 2 – Reference Documents which does not mention cloud environments ISO 27017.
Assign topic to the user
Please see response from Advisera: "Risk Assessment and Risk Treatment Methodology Cloud covers not only requirements for ISO 27001, but also specific requirements applicable for cloud environments defined by ISO 27017 and for Personal Identifiable Information PII) defined by ISO 27018."
Answer:
First of all, thanks for this feedback.
Please note that ISO 27017, in its clause 4.4 (Managing information security risks in cloud services) does not define any additional requirements for the risk management process, only that it is advised to refer to requirements for risk management defined fo r ISO 27001, and considered in its application cloud environment specifics (e.g., risk sources, threats and vulnerabilities), and these specifics are already included in risk assessment and risk treatment tables.
Considering that, we will be adding this reference to ISO 27017 to this Risk Assessment and Risk Treatment Methodology Cloud template to avoid misunderstandings, but there is no need to make any other change in the document, and the document you have is fully compliant with ISO 27017.
Comment as guest or Sign in
Sep 03, 2019