Cloud security concerns
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
The questions I have are as follows:
1) I already conducted the gap assessment before purchasing your book. At this point, do I still need to include the 27017 cloud controls to the gap assessment? i.e. the additional 7 controls?
Answer: ISO 27001 controls already provide a good general protection for information security, so you have to check if your client has some specific requirements demanding cloud security. If so, then you must include the additional 7 controls in your gap assessment.
2) Do you think I should write a separate cloud security policy or should I add it to the ISMS policy?
Answer: Unless you have a specific legal or business requirement demanding a separated cloud security policy, it would be best to have a single policy covering these two issues (you can consider the cloud security policy as a section of your ISMS policy).
3) Also what is the best way to ensure the client is implementing the appropriate controls as I am not well versed with the AWS environment?
Answer: The best way is to perform a risk assessment, to identify the most relevant risks to your client business. From the risks considered unacceptable you can identify which controls are needed. Since you mentioned your client is using AWS, then it is important to ensure that the controls the provider must implement are defined as contractual clauses on its service agreement with AWS.
These articles will provide you further explanation about cloud security in your context:
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
Comment as guest or Sign in
Dec 31, 2018