A proof for fulfillment of requirement A.9.5.1 from ISO 27017
Our certification body has asked us to show the proof of implementation of A.9.5.1 from ISO 27017: "Risk assessment performed and mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment. (s1)"
Could you please give us some examples on what kind of proof we would need to present to the certification body?
Assign topic to the user
I’m assuming you are referring to control CDL 9.5.1 - Segregation in virtual computing environments.
Regarding the “Risk assessment performed” you can show as evidence the last risk assessment and treatment report, showing to which risks related to “customer-developed/supplied software in the cloud environment” the control CDL 9.5.1 is used as treatment.
Regarding the “mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment”, examples of evidence of implementation of this control are:
- Network diagrams showing how computing environments are segregated
- Firewall rules tables showing the configurations implemented in network devices to segregate the environments
- Results of independent penetration tests covering the evaluation of this control
Comment as guest or Sign in
Sep 29, 2022