Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Detailed descriptions of implemented security measures on contracts related to offered cloud services

Critical
High
Normal
Low

When an organization offers cloud services for its customers, the contract between the provider and customer should clearly specify the technical and organizational measures implemented to ensure information security.

The contract must also address that the data is not processed for any other purpose than according to instructions of the controller.

When offering cloud services, the provider should be transparent about its information security measures during the process of entering into a contract. However, it is ultimately the customer’s responsibility to ensure that implemented measures by the provider meet its obligations.

Connected other frameworks and requirements:
A.11.11: Contract measures
ISO 27018
15: Supplier relationships
ISO 27017
15.1: Information security in supplier relationships
ISO 27017
15.1.2: Addressing security within supplier agreements
ISO 27017

Confirming information security roles and responsibilities related to utilized cloud services

Critical
High
Normal
Low

When an organisation is using a cloud-based data system, the organisation should understand and confirm the related information security roles and responsibilities as stated in the service agreement.

These can include responsibilities related e.g. to:

  • Malware protection
  • Cryptographic controls
  • Backup
  • Vulnerability and incident management
  • Compliance and security testing
  • Authentication, identity and access management
Connected other frameworks and requirements:
15: Supplier relationships
ISO 27017
15.1: Information security in supplier relationships
ISO 27017
15.1.2: Addressing security within supplier agreements
ISO 27017
15.1.3: Information and communication technology supply chain
ISO 27017
5.23: Information security for use of cloud services
ISO 27001
No items found.