Data centre externalized

There will be a change however – our primary data centre will be hosted by a third party in the near future.

Currently it’s in our data centre in our office – so we manage everything…now, we’ll be renting rack stage from that data centre.

I would like to know what ISO controls I should consider ( cloud services , hosting services… )

Answer:
If you have a data centre outsourced, you can manage risks from those assets that you can manage: data, applications (if you have web servers, application servers, virtual servers, etc managed by you), so in this case your risk management must be done for these assets.

For those assets that are not managed by you (facilities, devices of physical access, personnel of the data centre, etc), you can see them as an asset of type service, and you can identify all risks related to it.

There are no specific controls in the Annex A of ISO 27001:2013 for cloud services and hosting ser vices, but for this you can use ISO 27017, which is a standard specifically developed for the information security control for cloud services. For more information about this standard, please read this article “ISO 27001 vs. ISO 27017 – Information security controls for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

By the way, this article about how to handle an asset register, can be also interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/