Expert Advice Community

Guest

Cloud security concerns

  Quote
Guest
Guest user Created:   Dec 31, 2018 Last commented:   Dec 31, 2018

Cloud security concerns

I am currently working with a small client that hosts its production servers in the cloud.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 31, 2018

The questions I have are as follows:

1) I already conducted the gap assessment before purchasing your book. At this point, do I still need to include the 27017 cloud controls to the gap assessment? i.e. the additional 7 controls?

Answer: ISO 27001 controls already provide a good general protection for information security, so you have to check if your client has some specific requirements demanding cloud security. If so, then you must include the additional 7 controls in your gap assessment.

2) Do you think I should write a separate cloud security policy or should I add it to the ISMS policy?

Answer: Unless you have a specific legal or business requirement demanding a separated cloud security policy, it would be best to have a single policy covering these two issues (you can consider the cloud security policy as a section of your ISMS policy).

3) Also what is the best way to ensure the client is implementing the appropriate controls as I am not well versed with the AWS environment?

Answer: The best way is to perform a risk assessment, to identify the most relevant risks to your client business. From the risks considered unacceptable you can identify which controls are needed. Since you mentioned your client is using AWS, then it is important to ensure that the controls the provider must implement are defined as contractual clauses on its service agreement with AWS.

These articles will provide you further explanation about cloud security in your context:
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 31, 2018

Dec 31, 2018

Suggested Topics