Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

How cloud risks are mitigated

  Quote
Guest
Guest user Created:   Feb 19, 2016 Last commented:   Feb 19, 2016

How cloud risks are mitigated

An audit questionnaire from one of our customers includes:
0 0

Assign topic to the user

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
Antonio Jose Segovia Feb 19, 2016

Cloud-16 Do you have a document available to tenants describing your Information Security Management Program (ISMP) which addresses how cloud risks are mitigated (e.g. multi-tenancy, network segregation, entitlement)?

I can't seem to find this term in the context of 27001. Any idea what they might mean by this? This can't simply be the Information Security Policy, could it?

Answer:
You are right, the specific term “Information Security Management Program (ISMP)” is not used in ISO 27001 (neither ISO 27002), and without more specific information about the context or your situation is difficult for me give you more information.

Anyway, in your question I can read “how cloud risks are mitigated…”, and for the mitigation of any type of risks you need a methodology of risk management, so if you do not have this, I recommend you to try our toolkit “Risk Assessment and Risk Treatment Methodology” : https://advisera.com/27001academy/documentation/risk-assessment-and-risk-treatment-methodology/

With the methodology you can have a defined process for the management of risks, so basically you can identify risks and reduce, or mitigate, them with the implementation of security controls.

By the way, ISO 270017 is a code of practice for information security controls based on ISO 27002 for cloud services, and ISO 27018 is also a code of practice but for the protection of personally identifiable information in public clouds, so maybe can be interesting for you to read both standards. These articles can be also interesting for you:

"ISO 27001 vs. ISO 27017 - Information security controls for cloud services" : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
"ISO 27001 vs . ISO 27018 - Standard for protecting privacy in the cloud" : https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 19, 2016

Feb 19, 2016