A proof for fulfillment of requirement A.9.5.1 from ISO 27017
Our certification body has asked us to show the proof of implementation of A.9.5.1 from ISO 27017: "Risk assessment performed and mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment. (s1)"
Could you please give us some examples on what kind of proof we would need to present to the certification body?
Assign topic to the user
ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS
Basics of identification of interested parties and their requirements.
Get it now 
ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS
Basics of identification of interested parties and their requirements.
Get it now
ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS
Basics of identification of interested parties and their requirements.
Get it now
I’m assuming you are referring to control CDL 9.5.1 - Segregation in virtual computing environments.
Regarding the “Risk assessment performed” you can show as evidence the last risk assessment and treatment report, showing to which risks related to “customer-developed/supplied software in the cloud environment” the control CDL 9.5.1 is used as treatment.
Regarding the “mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment”, examples of evidence of implementation of this control are:
- Network diagrams showing how computing environments are segregated
- Firewall rules tables showing the configurations implemented in network devices to segregate the environments
- Results of independent penetration tests covering the evaluation of this control
Comment as guest or Sign in
Sep 29, 2022