27018 controls
Re ISO 27018, we have a substantial amount of our infrastructure in the cloud (Azure and Google). Do we need to apply any 27018 controls, or can we cite the compliance of Google and Microsoft with the ISO standards to check that box?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
For ISO 27001 certification purposes, unless you have specific requirements to adopt ISO 27018 controls (e.g., laws or contracts), you can apply only ISO 27001 Annex A controls.
Regarding only mentioning compliance of Google and Microsoft with the ISO standards, this would not be sufficient. You need to ensure that your specific security needs are covered by those providers by either (a) including security clauses in the agreement with them, or (b) making sure their Terms & Conditions specify the security clauses that are satisfactory for you.
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Apr 29, 2020