Questions regarding the template of ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit

1) Which section does “privileges in respect to the abovementioned user profiles” in 3.4. Organization’s privilege management refer to? Is this 3.2 or 3.3?

Section 3.4 refer to all previous sections which define profiles (in this case both section 3.2 and 3.3).

In case your company defines more profiles (e.g., 4), the “abovementioned user profiles” will range from sections 3.2 to 3.5 (and the section about Privilege Management will be 3.6).

2) If it’s 3.3 then looks like 3.4 and 3.5 will cover the same thing?

Please note that sections 3.4 (Privilege management) and 3.5 (Regular review of access rights) have different purposes.

While section 3.4 is focused on who has the right to grant or remove access rights, section 3.5 is focused on the frequency of reviewing granted access to ensure they are still needed, or if new accesses need to be provided, and this review is applicable for all defined access, not only for privileged accesses.

3) But, section 3.7 mentions “Organizations’ personal defined in 3.4 as responsible for granting administrative access rights to its public cloud services, platforms, and infrastructure…”. Which makes me wonder 3.4. is for 3.3. Is it correct? Or, this should be “Organizations’ personal defined in 3.5 as responsible for granting administrative access rights to its public cloud services, platforms, and infrastructure…”

Can you please explain as I am not clear what to cover in those sections?

As explained in the answer to question 1, section 3.4 refers to both sections 3.2 and 3.3 (related to user profiles).

In short, these sections have the following purposes:

• Sections 3.2 and 3.3: define for certain types of users (i.e., profiles) which assets they can access, and what they can do with them (e.g., HR profile, finance profile, audit profile, etc.)
• Section 3.4 defines who can grant/remove access of users to profiles (for example, the HR manager is the one who can grant/remove access of users to the HR profile)
• Section 3.5 defines when the responsible person for an asset needs to review implemented accesses (for example, the HR manager is responsible for the HR management software, and access to it need to be reviewed every six months)
• Section 3.7 defines who must implement defined access rights. Often the person who defines access has a management role, while the person who implements the access has a technical role (for example, the implementation of access rights defined by the HR manager to the HR software may be implemented by an IT technician).

Hi Rhand Leal, 

Thank you for the reply, but your answers do not really make sense to me. 

I am using the same numbering as above for the question topic.

1) If the range of “abovementioned user profiles” is from sections 3.2 to 3.5 as you said, I cannot use the word “abovementioned” in 3.4 as profiles in 3.5 is not yet mentioned. And, 3.5 is not user profiles. It is “Cloud services privilege management”. The answer to my No.3 question, you said this to be covered setion 3.2 and 3.3. So, I guess it is a typo? you mean the range of "abovementioned user profiles" is actually from section 3.2 to 3.3?

2)Section 3.5 is not “Regular view of access rights”. It is “Cloud service privilege management” as I mentioned before.  Regular review of access rights is section 3.6 in the template.

3) If section 3.4 is to cover section 3.2. and 3.3, then why section 3.5 mentioend that "Privileges in respect to the cloud service’s profiles mentioned in section 3.3 (granting or removing access rights) are allocated by [organization name] in the following way: "? If I covered priviledged management of section 3.3 in 3.4, why do I need to cover again in section 3.5? Section 3.7 is regular review of cloud services access rights. Implmentaion is section 3.9. 

I wonder you are having a same template as I have. 

FYI, the template I purchased have below sections 

3.2 Access control rules for organization

3.3 Access control rule for cloud services

3.4 Organization’s privilege management   

3.5 Cloud services privilege management

3.6 Regular review of organization’s access rights

3.7 Regular review of cloud services access rights.

3.9. Technical implementation

First of all, sorry for this confusion.

To avoid further confusion, instead of answer your current questions, I rewrote the first answers sent to you considering the correct template.

1) Which section does “privileges in respect to the abovementioned user profiles” in 3.4. Organization’s privilege management refer to? Is this 3.2 or 3.3?

Section 3.4 refers to privilege management of profiles defined in section 3.2

To make the text clearer, you can change the first paragraph of section 3.4 from “Privileges in respect to the abovementioned user profiles for [organization name] (granting or removing access rights) are allocated in the following way:” to “Privileges in respect to the user profiles mentioned in section 3.2 for [organization name] (granting or removing access rights) are allocated in the following way:”

2) If it’s 3.3 then looks like 3.4 and 3.5 will cover the same thing?

Please note that sections 3.4 and 3.5 have different purposes. Section 3.4 refers to the management of profiles used by the organization (covered by section 3.2) and section 3.5 refers to the management of profiles related to provided cloud services (covered by section 3.3).

3) But, section 3.7 mentions “Organizations’ personal defined in 3.4 as responsible for granting administrative access rights to its public cloud services, platforms, and infrastructure…”. Which makes me wonder 3.4. is for 3.3. Is it correct? Or, this should be “Organizations’ personal defined in 3.5 as responsible for granting administrative access rights to its public cloud services, platforms, and infrastructure…”

Your assumption is correct the reference must be to section 3.5 not to section 3.4. We’ll make this correction ASAP. Thanks for this feedback.