How cloud risks are mitigated
Assign topic to the user
Cloud-16 Do you have a document available to tenants describing your Information Security Management Program (ISMP) which addresses how cloud risks are mitigated (e.g. multi-tenancy, network segregation, entitlement)?
I can't seem to find this term in the context of 27001. Any idea what they might mean by this? This can't simply be the Information Security Policy, could it?
Answer:
You are right, the specific term “Information Security Management Program (ISMP)” is not used in ISO 27001 (neither ISO 27002), and without more specific information about the context or your situation is difficult for me give you more information.
Anyway, in your question I can read “how cloud risks are mitigated…”, and for the mitigation of any type of risks you need a methodology of risk management, so if you do not have this, I recommend you to try our toolkit “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/
With the methodology you can have a defined process for the management of risks, so basically you can identify risks and reduce, or mitigate, them with the implementation of security controls.
By the way, ISO 270017 is a code of practice for information security controls based on ISO 27002 for cloud services, and ISO 27018 is also a code of practice but for the protection of personally identifiable information in public clouds, so maybe can be interesting for you to read both standards. These articles can be also interesting for you:
"ISO 27001 vs. ISO 27017 - Information security controls for cloud services" : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
"ISO 27001 vs . ISO 27018 - Standard for protecting privacy in the cloud" : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
Comment as guest or Sign in
Feb 19, 2016