Detailed descriptions of required security measures for subcontractors on contracts related to offered cloud services

Critical
High
Normal
Low

When involving subprocessors in processing personal data related to offered cloud services, the organization ensures that contracts clearly specify the minimum technical and organizational security measures required from subprocessors. 

Connected other frameworks and requirements:
A.11.12: Sub-contracted PII processing
ISO 27018
15.1.3: Information and communication technology supply chain
ISO 27017

Documenting partners who are related to offered digital services supply chain

Critical
High
Normal
Low

The organization must clearly document all the digital services it provides to its customers according to the cloud service model.

The documentation for digital services must include the partners involved in the service supply chain. The partner listing must include supporting services (such as IaaS, such as AWS or MS Azure), other partners included in the main service provider's supply chain (such as outsourced development), and other services that complement the actual service (including IDaaS, CDN).

In the future, supply chain documentation can be used to review a more detailed division of safety responsibilities.

Connected other frameworks and requirements:
A.8: Openness, transparency and notice
ISO 27018
A.8.1: Disclosure of sub-contracted PII processing
ISO 27018
15.1.3: Information and communication technology supply chain
ISO 27017
A.8.5.6: Disclosure of subcontractors used to process PII
ISO 27701
A.8.5.7: Engagement of subcontractor to process PII
ISO 27701

Required security objectives for cloud service subcontractors related to offered cloud services

Critical
High
Normal
Low

When the organisation chooses to use another cloud service provider’s services for the provision of its own offered cloud services, the organisation must make sure that the information security level of its customers is maintained or exceeded.

To ensure this the organisation must specify required security objectives to the subcontractors included in the supply chain. These objectives should require performing risk management to accomplish the objectives.

Connected other frameworks and requirements:
15.1.3: Information and communication technology supply chain
ISO 27017

Confirming information security roles and responsibilities related to utilized cloud services

Critical
High
Normal
Low

When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

These can include responsibilities related e.g. to:

  • Malware protection
  • Cryptographic controls
  • Backup
  • Vulnerability and incident management
  • Compliance and security testing
  • Authentication, identity and access management
Connected other frameworks and requirements:
15: Supplier relationships
ISO 27017
15.1: Information security in supplier relationships
ISO 27017
15.1.2: Addressing security within supplier agreements
ISO 27017
15.1.3: Information and communication technology supply chain
ISO 27017
5.23: Information security for use of cloud services
ISO 27001
No items found.