Requirements of ISO 27001 to be implemented by the CSP
Assign topic to the user
Answer: You need to implement all the requirements from ISO 27001 clauses 4 to 10, and applicable controls from the Annex A, based on the results of the risk assessment. The standard doesn't specify precisely what the cloud service provider will need to implement - this is something you have to define based on the results of the risk assessment, and require those security controls through the agreement with this provider - the fact that they are already certified doesn't change anything in this approach.
These materials will help you:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- Clause-by-clause explanation of ISO 27001 https://advisera.com/27001academy/free-downloads
2 - Also, we host PII information in the cloud. Do we need to comply against any specific ISO standards in addition to 27001? Appreciate your inputs.
Answer: There is no requirement to comply to any other ISO standard. However, if you want, you can implement ISO 27018 which describes protection of PII in the cloud. See this article: ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
Comment as guest or Sign in
Oct 05, 2017