Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

5.23
ISO27k1 Full

Information security for use of cloud services

6
ISO 27017

Organization of information security

6.1
ISO 27017

Internal organization

6.1.3
ISO 27017

Contact with authorities

6.1.4
ISO 27017

Contact with special interest groups

CLD 6.3
ISO 27017

Relationship between cloud service customer and cloud service provider

CLD 6.3.1
ISO 27017

Shared roles and responsibilities within a cloud computing environment

Other tasks from the same security theme

Ensuring sufficient client data segregation and protection in external IT services

Critical
High
Normal
Low

The organization must have a procedure to make sure the external service has effective segregation of environments (service provider's clients) to prevent unauthorized access to our environment.

The providers concept for segregation should be documented and adapted to changes. The following should be considered:

  • Separation of data
  • Functions
  • Customer-specific software
  • Operating systems
  • Storage systems
  • Networking

There should also be a risk assessment for operating external software within shared environment.

5.3.4: Information protection in external IT services
TISAX

Measures for data transfer of services in accordance with information security goals

Critical
High
Normal
Low

The organization must implement practices and procedures so that the information coming out of the services is complete and timely. The procedures must take into account:

  • Protection of outgoing information, when stored or transferred, from theft, destruction, modification or other events affecting the integrity of the information
  • Outcoming information is shared only with intended targets< /li>
  • Logging of outgoing data
PI1.4: Procedures for availability accodring to objectives
SOC 2

Measures for the implementation of information security objectives in the offered services

Critical
High
Normal
Low

The organization must establish controls to accomplish information security objectives in offered services. Controls must take into account:

  • Data processing requirements
  • Necessary data processing
  • Detecting and correcting production errors
  • Data processing log
  • li>
  • Completeness, accuracy and timeliness of data entry
PI1.3: Procedures for system processing to produce results accodring to objectives
SOC 2

Ensuring the completeness and accuracy of the information entering the systems

Critical
High
Normal
Low

The organization must set up control measures to ensure the completeness and accuracy of the information entering the systems. For this purpose, the following should be defined:

  • The necessary characteristics of future data
  • Evaluation of future data sources
  • Future data logging and log maintenance
PI1.2: Implementation of policies and procedures for system inputs
SOC 2

Defining the information needed to maintain the services or products offered

Critical
High
Normal
Low

When data is delivered as part of a service or product or as part of a product or service-related reporting obligation, the definition of data must be available to data users.

The definition of data includes the following information:

  • The amount of events in the data
  • Type of information contained in each data element (e.g. field) (event to which the data field is related)
  • Sources of information
  • Data elements (e.g. fields) unit(s) of measurement
  • Precision of measurement
  • Uncertainty or confidence interval inherent in each data element
  • Date or time period of the event associated with the data
  • Variables (in addition to the date/period) that can be used to define the inclusion of items in data elements
PI1.1: Definitions of processed data
SOC 2

Assisting customer in fulfilling data subject requests

Critical
High
Normal
Low

The organization should make it possible for the customer to fulfill its requirements regarding data subjects.

A.8.3: Obligations to PII principals
ISO 27701
A.8.3.1: Obligations to PII principals
ISO 27701

Providing information for fulfilling customer obligations

Critical
High
Normal
Low

The organization should provide the customer with the necessary information so that the customer can demonstrate that it fulfills its obligations.

A.8.2.5: Customer obligations
ISO 27701

The role of the organization in critical infrastructure

Critical
High
Normal
Low

The organization's own place and role in the critical infrastructure is defined and communicated to the necessary parties.

It is important to recognize whether society is more broadly dependent on the services produced by the organization. Such criticality of the operation can increase the risks of, for example, hybrid and information influence and emphasizes the need to be prepared for them.

ID.BE-2: Place in critical infrastructure
NIST
71: Organisaation roolin tunnistaminen
Sec overview
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated.
CyFun

The role of the organization in the supply chain

Critical
High
Normal
Low

The organization's own role in the supply chain is defined and communicated to the necessary partners.

ID.BE-1: Role in supply chain
NIST
ID.BE-1: The organization’s role in the supply chain is identified and communicated.
CyFun

Description of administrative data flows

Critical
High
Normal
Low

The organization must describe the administrative flows of communications. The description of administrative data flows complements the description of integrations between systems.

ID.AM-3: Communication and data flows
NIST
ID.AM-3: Organizational communication and data flows are mapped.
CyFun

IPR complaint process in relation to offered cloud services

Critical
High
Normal
Low

The cloud service provider should establish a process for responding to intellectual property rights complaints.

18: Compliance
ISO 27017
18.1: Compliance with legal and contractual requirements
ISO 27017
18.1.2: Intellectual property rights
ISO 27017

Secure disposal of cloud service specific resources

Critical
High
Normal
Low

When offering cloud services, the organisation must have procedures in place for safe disposal or potential reuse of resources utilized in service providing, such as:

  • Equipment
  • Devices
  • Data storage
  • Files
  • Memory

When utilizing cloud services, the customer organisation should ensure secure disposal by requesting confirmation of these procedures from the cloud service provider.

PR.DS-3: Asset management
NIST
11: Physical and environmental security
ISO 27017
11.2: Equipment
ISO 27017
11.2.7: Secure disposal or re-use of equipment
ISO 27017
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition.
CyFun

Documentation of data owned by cloud service customers

Critical
High
Normal
Low

When offering cloud services for customers, the organisation should have identified and listed data related to cloud services the customer controls. These are referred to external data stores.

Organisation also needs to inventory derived data that is created through offering the cloud service. These can be controlled by the organisation and listed on system documentation instead of external data stores.

8.1.1: Inventory of assets
ISO 27017

Clear communication of organisation and data storage location in relation to offered cloud services

Critical
High
Normal
Low

When offering cloud services, the organisation must clearly and actively inform the customer of the organisation’s geographic location and the countries where the customer's data is stored.

This information can help the customer e.g. in determining the relevant supervisory authorities and jurisdictions when utilizing the cloud service.

6.1: Internal organization
ISO 27017
6.1.3: Contact with authorities
ISO 27017

Detailed descriptions of implemented security measures on contracts related to offered cloud services

Critical
High
Normal
Low

When an organization offers cloud services for its customers, the contract between the provider and customer should clearly specify the technical and organizational measures implemented to ensure information security.

The contract must also address that the data is not processed for any other purpose than according to instructions of the controller.

When offering cloud services, the provider should be transparent about its information security measures during the process of entering into a contract. However, it is ultimately the customer’s responsibility to ensure that implemented measures by the provider meet its obligations.

A.11.11: Contract measures
ISO 27018
15: Supplier relationships
ISO 27017
15.1: Information security in supplier relationships
ISO 27017
15.1.2: Addressing security within supplier agreements
ISO 27017

Customer-oriented description of personal data return, transfer and disposal processes for offered cloud services

Critical
High
Normal
Low

Personal data related to the offered cloud services will need to be disposed properly and obeying storage limitation principles. Disposal can involve returning the data to the customer by request, transferring it to another company (e.g. as a result of a merger) or either securely destroying, anonymizing or archiving it.

Organisation should have a clear written description about the retention period and the return, transfer and disposal mechanisms of personal data. This description should be made available to the customer.

By using this description the customer should be able to understand how the organisation will ensure the personal data processed under a contract is erased (also by any of its sub-contractors) from all storage locations (including e.g. backup purposes) as soon as they are no longer necessary for the customer.

A.10.3: PII return, transfer and disposal
ISO 27018
A.8.4.2: Return, transfer, or disposal of PII
ISO 27701

Data subject’s right facilitation through offered cloud services

Critical
High
Normal
Low

Cloud service customer often acts as the personal data controller and is responsible for fulfilling the data subject rights e.g. to access, correction or deletion of their personal data. Cloud service provider should provide the customer with the necessary means to enable this.

Organization has defined measures how data controllers on offered cloud services are assisted in fulfilling data subject rights. This may include e.g. cloud service features or manual support actions.

Relevant information and possible technical measures related to facilitation should be specified in the relevant contract.

A.2: Consent and choice
ISO 27018
A.2.1: Obligation to co-operate regarding PII principals’ rights
ISO 27018

Documented procedures and supervision for critical admin operations on offered cloud services

Critical
High
Normal
Low

Critical admin operations mean operations where a failure can cause unrecoverable damage to assets in the cloud computing environment.

Critical admin operations may include e.g. changes related to virtualized devices (e.g. servers, networks, storage), termination procedures, backup and restoration.

For all offered cloud services the critical admin operations are documented. Also the procedures for carrying out critical admin operations are documented beforehand in needed detail.

Whenever a critical admin operation is carried out, a supervisor named in the documentation monitors the operation.

In relation to offered cloud services, the cloud service provider must provide documentation about critical admin operations and procedures if required by customers.

CLD 12.1: Operational procedures and responsibilities
ISO 27017
CLD 12.1.5: Administrator's operational security
ISO 27017

Segregation of customer’s virtual environments in relation to offered cloud services

Critical
High
Normal
Low

When offering cloud services, the cloud service customer’s virtual environment should be separated and protected from other customers and unauthorized persons.

To ensure this, the organisation should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network.

Segregation should also ensure the separation of the cloud service provider's internal administration from resources used by cloud service customers.

CLD 9.5.1: Segregation in virtual computing environments
ISO 27017

Documenting security-related responsibilities for offered cloud services and utilized data systems

Critical
High
Normal
Low

When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.

Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.

6: Organization of information security
ISO 27017
CLD 6.3: Relationship between cloud service customer and cloud service provider
ISO 27017
CLD 6.3.1: Shared roles and responsibilities within a cloud computing environment
ISO 27017
6.1: Internal organization
ISO 27017
6.1.3: Contact with authorities
ISO 27017

Use of a software firewall to protect provided digital services

Critical
High
Normal
Low

All servers in the organization should be protected by a properly configured software firewall that monitors traffic, accepts compliant traffic, and monitors users.

WAF (web application firewall) should be protecting offered digital services from attacks (e.g. SQL injection).

2.5.6: Protect particularly critical services with their own data flow
NSM ICT-SP

Listing offered digital services and naming owners

Critical
High
Normal
Low

The organization must maintain a list of digital services provided and the owners designated for them. The owner is responsible for completing the information in the service and for any other security measures that are closely related to the service.

The documentation related to the digital service includes e.g. the following information:

  • The type of digital service offered, the service category and the purpose of use
  • Data controller and related processing agreements
  • Key partners in the service supply chain and the distribution of security responsibilities (discussed in more detail in a separate task)
6: Organization of information security
ISO 27017
CLD 6.3: Relationship between cloud service customer and cloud service provider
ISO 27017
CLD 6.3.1: Shared roles and responsibilities within a cloud computing environment
ISO 27017
A.2: Consent and choice
ISO 27018
A.2.1: Obligation to co-operate regarding PII principals’ rights
ISO 27018

Terms and conditions related to the offered digital services

Critical
High
Normal
Low

The terms and conditions related to the digital services provided by the organization have been mapped and documented. The terms of the contract shall include at least the following:

  • Nature and extent of the service provided
  • Cyber security requirements(including the Shared Security Responsibility Model)
  • Description of the change management procedure
  • Stored logs and their monitoring
  • Procedures for fault management and reporting
  • Right to audit and third party evaluation
  • Compatibility
  • Privacy requirements and descriptions of the processing of personal data
  • Termination of service
A.3.1: Public cloud PII processor’s purpose
ISO 27018

Documenting partners who are related to offered digital services supply chain

Critical
High
Normal
Low

The organization must clearly document all the digital services it provides to its customers according to the cloud service model.

The documentation for digital services must include the partners involved in the service supply chain. The partner listing must include supporting services (such as IaaS, such as AWS or MS Azure), other partners included in the main service provider's supply chain (such as outsourced development), and other services that complement the actual service (including IDaaS, CDN).

In the future, supply chain documentation can be used to review a more detailed division of safety responsibilities.

A.8: Openness, transparency and notice
ISO 27018
A.8.1: Disclosure of sub-contracted PII processing
ISO 27018
15.1.3: Information and communication technology supply chain
ISO 27017
A.8.5.6: Disclosure of subcontractors used to process PII
ISO 27701
A.8.5.7: Engagement of subcontractor to process PII
ISO 27701

Regular security assessment of partners in the supply chain of provided digital services

Critical
High
Normal
Low

The organization shall define a security assessment and conduct it on a regular basis for the partners in the supply chain of the digital services provided.

This should ensure the compliance of the partners affecting the security of the services provided and thus the fulfillment of the terms of the contract.

ID.SC-3: Contracts with suppliers and third-party partners
NIST
21.2.d: Supply chain security
NIS2
9.4 §: Toimitusketjun hallinta ja valvonta
KyberTL
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
CyFun
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
CyFun