Doubts regarding the policy, scope ISO 27001:2013
Quisiera saber como puedo plantearme el hacer los procedimientos de mi empresa si el 95% de mi infraestructura esta en AWS.
Por ejemplo, quería pensar en si AWS puede compartirme su SOA para conocer sus objetivos y su justificación de los controles y asi alinearlos con los de AWS.
Los únicos equipos que están en las instalaciones son las PC y todas accesan via VPN a AWS.
Assign topic to the user
I would like to know how I can consider doing my company's procedures if 95% of my infrastructure is on AWS.
For example, I wanted to think about whether AWS can share their SOA with me to learn about their goals and rationale for controls and align them with those of AWS.
The only computers that are in the facilities are the PCs and all access via VPN to AWS.
Regarding the ISMS scope and policies, you only need to focus on the part of the cloud infrastructure that you have direct control over (this will depend on the contracted cloud service - i.e. you would include data for SaaS, or data and application software for IaaS.).
Examples of what needs to be done within the company are: security training and awareness, access control (defining who has the access, periodic review, etc.), etc.
The part controlled by AWS you can handle through controls from section A.15 - Supplier relationships. In short, you need to identify the relevant risks related to the infrastructure controlled by AWS and check if the way they handle such risks is acceptable for your organization, and are properly documented in the Terms of Service. For that your understanding is correct, you can ask for the AWS SoA, so you can evaluate the applied controls, and check if they are included as security clauses in the Terms of Service.
You'll find a more detailed explanation here:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
Comment as guest or Sign in
Aug 05, 2020