ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
We're implementing an ISMS for a cloud Provider. Our client provides Housing services (Clients bring their own Device to the Data Center), Hosting services (web hosting, etc), Cloud services (SaaS, IaaS). Virtual machines are managed by the client: they can install whatever they want on the machine even the OS. the problem is while identifying the assets, how do we deal with Virtual machines management? Is the VM owned by the Cloud Provider or the Client.
Answer:
First of all you need to define clearly the scope of the ISMS, because if the scope is limited to the Housing services, maybe there are no assets related to virtual machines. However, if the scope includes the Hosting services and/or Cloud services, from my point of view the virtual machines managed by the client need to be identified as assets in the risk assessment, because there are risks related to them that can affect to the business of the Cloud provider (if the hosting service is provided through virtual machines, and they are stopping, the service cannot be provided).
Anyway, if the virtual machines are not managed by the cloud provider, I recommend you to exclude them from the scope of the ISMS.
This article about the scope can be interesting for you “How to define the ISMS scope” : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
And this article about assets can be also interesting for you “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
By the way, these articles about ISO 27001 and cloud computing can be also interesting for you:
“ISO 27001 vs. ISO 27017 - Information security for cloud services” : https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
“Cloud computing and ISO 27001 / BS 25999” : https://advisera.com/27001academy/blog/2011/05/30/cloud-computing-and-iso-27001-bs-25999/
Finally, our online course can be also interesting for you “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 30, 2016