CSP - CSC - end user in iso 27017
I would really appreciate your opinion on this iso27017 matter. This is the case.
Company A is ISO27001 certified for the ".... management of cloud infrastructure (IaaS)"
Company A does not have its own data center.
Company A provides IaaS services based on cloud resources and technology of a Big provider (such as MS Azure vmware solution) with which Company A has a contract.
Company A wants to integrate iso27017 to its current iso27001 certificate (which already includes IaaS services).
From an iso27017 perspective, is company A to be considered cloud service customer or cloud service provider or both? And why?
Thanks in advance
Assign topic to the user
In this scenario, Company A needs to be considered both cloud service customer and cloud service provider.
This happens because company A needs to fulfill customers’ requirements related to cloud security (in this case it acts as a cloud provider), and at the same time it needs to enforce these requirements, and its own, on its suppliers (in this case it acts as cloud customer).
This article will provide you a further explanation about ISO 27017:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Comment as guest or Sign in
Mar 23, 2021