Protecting and keeping data safe
The question I had: Do we as a company get by extension the benefits of cloud companies having all the certificates and good practices when it comes to protecting and keeping data safe. We are working with *** and ***. An example scenario would be an auditor asking my company how we back up data? And our answer is that we back up our data on 2 different servers: *** and *** for example. Would that be OK? Since we are not the ones responsible for the data, but we are offloading this to a much more secure company. Is this something that we can evaluate as low risk and not implement special controls when it comes to protecting this data, since we are getting the benefits of using a cloud provider?
Assign topic to the user
First is important to note that only because you are transferring the risk to a cloud provider, it does not mean the risk will be automatically lower. It only means that it will be handled by other entities, which in most cases will have a better cost-benefit relation when comparing to treating the risk yourself.
Considering that, to get by extension the benefits of a certified cloud provider, and ensure the provider will handle your data properly, you need to have a contract or service agreement with it covering your security needs. So, instead of implementing controls related directly to the identified risks, you will need to consider for them controls to handle supplier relationships.
These articles will provide you a further explanation about supplier security:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
These materials will also help you regarding supplier security:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 25, 2021