Information Security

  • Published by Viedoc System 2023-11-24
  • Print

Introduction

Viedoc Technologies have implemented a risk-based Information Security Management System (ISMS) that facilitates a structured and continuous approach to information security. Our ISMS covers all activities and sites company-wide and is certified according to ISO 27001 with all Annex A controls included in our scope of applicability.

The information security and maturity of Viedoc's eClinical data management solution system and the suitability of the design of its controls relevant to security and confidentiality is also validated by the SOC 2 report, which is issued by a third party auditor.


Download the ISO27001 certificate

Viedoc

Viedoc Shanghai - English

Viedoc Shanghai - Chinese


Security Controls Statement of Applicability v4

Source

#

Subject

Control

Applicable

A.5

Information security policies

A.5.1

Management direction for information security

ISO 27002:2013

A.5.1.1

Policies for information security

A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

Yes

ISO 27017:2021 An information security policy for cloud computing should be defined as a topic-specific policy of the cloud service customer. […] Yes
ISO 27017:2021 The cloud service provider should augment its information security policy to address the provision and use of its cloud services, […] Yes
ISO 27002:2013

A.5.1.2

Review of the policies for information security

The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Yes

A.6

Organization of information security

A.6.1

Internal organization

ISO 27002:2013

A.6.1.1

Information security roles and responsibilities

All information security responsibilities shall be defined and allocated.

Yes

ISO 27017:2021

The cloud service customer should agree with the cloud service provider on an appropriate allocation of information security roles and responsibilities and confirm that it can fulfil its allocated roles and responsibilities. […] Yes

ISO 27017:2021

The cloud service provider should agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers and its suppliers. Yes

ISO 27002:2013

A.6.1.2

NIST SP
800-53
AC-5
PL-2

Segregation of duties

Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

Yes

ISO 27002:2013

A.6.1.3

NIST SP
800-53
IR-6

Contact with authorities

Appropriate contacts with relevant authorities shall be maintained

Yes

ISO 27017:2021

The cloud service customer should identify the authorities relevant to the combined operation of the cloud service customer and the cloud service provider.

Yes

ISO 27017:2021

The cloud service provider should inform the cloud service customer of the geographical locations of the cloud service provider's organization and the countries where the cloud service provider can store the cloud service customer data.

Yes

ISO 27002:2013

A.6.1.4

Contact with special interest groups

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Yes

ISO 27002:2013

A.6.1.5

Information security in project management

Information security shall be addressed in project management, regardless of the type of the project.

Yes

A.6.2

Mobile devices and teleworking

ISO 27002:2013

A.6.2.1
NIST SP

800-53
AC-17,
AC-18,
AC-19

Mobile device policy

A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices

Yes

ISO 27002:2013

A.6.2.2

NIST SP
800-53
AC-3,
AC-17,
PE-17

Teleworking

A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

Yes

CLD.6.3

Relationship between cloud service customer and cloud service provider

ISO 27017:2021

CLD.6.3.1

Shared roles and responsibilities within a cloud computing environment

Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider.

[…]

Customer: Define procedure/policy and inform

Provider: Document/communicate capabilities/roles/responsibilities
Yes
Yes

A.7

Human resource security

A.7.1

Prior to employment

ISO 27002:2013

A.7.1.1

NIST SP
800-53
PS-3

Screening

Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Yes

ISO 27002:2013

A.7.1.2

Terms and conditions of employment

The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.

Yes

A.7.2

During employment

ISO 27002:2013

A.7.2.1

Management responsibilities

Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

Yes

ISO 27002:2013

A.7.2.2

NIST SP
800-53
AT-2,
AT-3,
IR-2

Information security awareness, education and training

All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

Yes

ISO 27017:2021

The cloud service customer should add the following items to awareness, education and training programmes for cloud service business managers, cloud service administrators, cloud service integrators and cloud service users, including relevant employees and contractors: […]

Yes

ISO 27017:2021

The cloud service provider should provide awareness, education and training for employees, and request contractors to do the same, concerning the appropriate handling of cloud service customer data and cloud service derived data. […]

Yes

ISMAP

7.2.2.19.PB

Cloud service providers provide education and training to raise awareness among employees regarding the proper handling of cloud service customer data and cloud service derived data, and require contract parties to do the same.

Yes

NIST SP 800-53 AT-2(2) Security Awareness Training: Insider Threat Provide literacy training on recognizing and reporting potential indicators of insider threat. Yes

ISO 27002:2013

A.7.2.3

Disciplinary process

There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

Yes

A.7.3

Termination and change of employment

ISO 27002:2013

A.7.3.1

NIST SP
800-53
PS-4,
PS-5

Termination or change of employment responsibilities

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.

Yes

A.8

Asset management

A.8.1

Responsibility for assets

ISO 27002:2013

A.8.1.1

NIST SP
800-53
CM-8

Inventory of assets

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Yes

ISO 27017:2021

The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g. identification of the cloud service.

Yes

ISO 27017:2021

The inventory of assets of the cloud service provider should explicitly identify:

–cloud service customer data;

–cloud service derived data.
Yes

ISO 27002:2013

A.8.1.2

NIST SP
800-53
CM-8

Ownership of assets

Assets maintained in the inventory shall be owned.

Yes

ISMAP

8.1.2.7.PB

The cloud service provider provides the cloud service customer with one of the

following to manage the assets (including backups) of such customer.

  1. A function that encrypts the assets managed by the relevant customer before they are recorded (including backups) on a storage medium, and enables the relevant customer to manage and delete the encryption key
  2. Information necessary for the relevant customer to implement the function of encrypting the assets managed by the relevant customer before recording (including backup) them on the storage media, and manage and delete the cryptographic keys
Yes

ISO 27002:2013

A.8.1.3

Acceptable use of assets

Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

Yes

ISO 27002:2013

A.8.1.4

NIST SP
800-53
PS-4,
PS-5

Return of assets

All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

Yes

ISO 27017:2021

CLD.8.1.5

Removal of cloud service customer assets

Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement.

[…]

Customer: Request a documented description of the termination

Provider: Provide information about the arrangements for the return

Yes

Yes

A.8.2

Information classification

ISO 27002:2013

A.8.2.1

Classification of information

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

Yes

ISO 27002:2013

A.8.2.2

NIST SP
800-53
MP-3

Labelling of information

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Yes

ISO 27017:2021

The cloud service customer should label information and associated assets maintained in the cloud computing environment in accordance with the cloud service customer's adopted procedures for labelling. […]

Yes

ISO 27017:2021

The cloud service provider should document and disclose any service functionality it provides allowing cloud service customers to classify and label their information and associated assets.

Yes

ISMAP

8.2.2.7.PB

The cloud service provider documents and discloses the service functions that allow cloud service customers to classify and label the information and related assets handled by the cloud service providers.

Yes

ISO 27002:2013

A.8.2.3

NIST SP
800-53
MP-2,
MP-4,
MP-6,
MP-5,
MP-7,
SC-8,
SC-28

Handling of assets

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization

Yes

A.8.3

Media handling

ISO 27002:2013

A.8.3.1

NIST SP
800-53
MP-2,
MP-4,
MP-6,
MP-7

Management of removable media

Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Yes

NIST SP 800-53 AC-20(2) Use of External Information Systems: Portable Storage Devices - Restricted Use Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions. Yes
NIST SP
800-53
MP-7(1) Media Use: Prohibit Use Without Owner The organization prohibits the use of portable storage devices in organizational information system when such devices have no identifiable owner. Yes

ISO 27002:2013

A.8.3.2

NIST SP
800-53
MP-6

Disposal of media

Media shall be disposed of securely when no longer required, using formal procedures.

Yes

ISO 27002:2013

A.8.3.3

NIST SP
800-53
MP-5

Physical media transfer

Media containing information shall be protected against unauthorized access, misuse or corruption during transportation

Yes

A.9

Access control

A.9.1

Business requirements of access control

ISO 27002:2013

A.9.1.1

Access control policy

An access control policy shall be established, documented and reviewed based on business and information security requirements.

Yes

ISO 27002:2013

A.9.1.2

NIST SP
800-53
AC-3,
AC-6

Access to networks and network services

Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

Yes

ISO 27017:2021

The cloud service customer's access control policy for the use of network services should specify requirements for user access to each separate cloud service that is used. Yes
NIST SP 800-53 AC-17(1) Remote Access: Monitoring and Control Employ automated mechanisms to monitor and control remote access methods. Yes
NIST SP
800-53
AC-18(1) Wireless Access: Authentication and Encryption Protect wireless access to the system using authentication of users, devices, and encryption. Yes

A.9.2

User access management

ISO 27002:2013

A.9.2.1

NIST SP
800-53
AC-2,
IA-2,
IA-4,
IA-5

User registration and de-registration

A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

Yes

ISO 27017:2021

To manage access to cloud services by a cloud service customer's cloud service users, the cloud service provider should provide user registration and deregistration functions, and specifications for the use of these functions to the cloud service customer.

Yes

ISO 27002:2013

A.9.2.2

NIST SP 800-53
AC-2

User access provisioning

A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services

Yes

ISO 27017:2021

The cloud service provider should provide functions for managing the access rights of the cloud service customer's cloud service users, and specifications for the use of these functions.

Yes

NIST SP 800-53 SC-2 Application Partitioning The information system separates user functionality (including user interface services) from information system management functionality. Yes
NIST SP
800-53
SC-4 Information in Shared Resources The information system prevents unauthorized and unintended information transfer via shared system resources. Yes
ISO 27002:2013

A.9.2.3

NIST SP
800-53

AC-2,
AC-6,
CM-5

Management of privileged access rights

The allocation and use of privileged access rights shall be restricted and controlled.

Yes

ISO 27017:2021 The cloud service customer should use sufficient authentication techniques (e.g.,multi-factor authentication) for authenticating the cloud service administrators of the cloud service customer to the administrative capabilities of a cloud service according to the identified risks. Yes
ISO 27017:2021 The cloud service provider should provide sufficient authentication techniques for authenticating the cloud service administrators of the cloud service customer to the administrative capabilities of a cloud service, according to the identified risks. Yes
ISMAP 9.2.3.11.PB

Depending on the identified risks, cloud service providers provide sufficiently strong authentication technologies for administrator authentication of cloud service customers that are tailored to the management capabilities of the cloud service

Yes
NIST SP
800-53
AC-6(5) Least Privilege:
Privileged Accounts
Restrict privileged accounts on the system to organization-defined personnel or roles. Yes
NIST SP
800-53
AC-17(4) Remote Access:
Privileged Commands and Access
a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the nee following needs: organization-defined needs; and
b) Document the rationale for remote access in the security plan for the system.
Yes
ISO 27002:2013

A.9.2.4

NIST SP
800-53
IA-5

Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process.

Yes

ISO 27017:2021 The cloud service customer should verify that the cloud service provider's management procedure for allocating secret authentication information, such as passwords, meets the cloud service customer's requirements. Yes
ISO 27017:2021 The cloud service provider should provide information on procedures for the management of the secret authentication information of the cloud service customer, including the procedures for allocating such information and for user authentication. Yes
ISO 27002:2013

A.9.2.5

NIST SP
800-53
AC-2

Review of user access rights

Asset owners shall review users’ access rights at regular intervals.

Yes

ISO 27002:2013

A.9.2.6

NIST SP
800-53
AC-2

Removal or adjustment of access rights

The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Yes

A.9.3

User responsibilities

ISO 27002:2013

A.9.3.1

NIST SP
800-53

IA-5

Use of secret authentication information

Users shall be required to follow the organization’s practices in the use of secret authentication information

Yes

A.9.4

System and application access control

ISO 27002:2013

A.9.4.1

NIST SP
800-53

AC-3

Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy.

Yes

ISO 27017:2021

The cloud service customer should ensure that access to information in the cloud service can be restricted in accordance with its access control policy and that such restrictions are realized. This includes restricting access to cloud services, cloud service functions, and cloud service customer data maintained in the service.

Yes

ISO 27017:2021

The cloud service provider should provide access controls that allow the cloud service customer to restrict access to its cloud services, its cloud service functions and the cloud service customer data maintained in the service.

Yes

ISO 27002:2013

A.9.4.2

NIST SP
800-53
AC-7,
AC-8,
IA-6

Secure log-on procedures

Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.

Yes

NIST SP 800-53 IA-2(1) Identification And Authentication (Organizational Users): Network Access To Privileged Accounts The information system implements multifactor authentication for network access to privileged accounts. Yes
NIST SP 800-53 IA-2(2) Identification And Authentication (Organizational Users): Network Access To Non-Privileged Accounts The information system implements multifactor authentication for network access to non-privileged accounts. Yes
NIST SP
800-53
IA-2(3) Identification And Authentication (Organizational Users): Local Access To Privileged Accounts The information system implements multifactor authentication for local access to privileged accounts. Yes

NIST SP
800-53

IA-2(8)

Identification And Authentication (Organizational Users): Network Access To Privileged Accounts – Replay Resistant The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. Yes
NIST SP 800-53 IA-2(9) Identification And Authentication (Organizational Users): Network Access To Non-Privileged Accounts – Replay Resistant The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. Yes
NIST SP
800-53
IA-5(1) Authenticator Management: Password-Based Authentication

The information system, for password-based authentication:

  1. Enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;
  2. Enforces at least the following number of changed characters when new passwords are created: organization-defined number;
  3. Stores and transmits only cryptographically-protected passwords;
  4. Enforces password minimum and maximum lifetime restrictions of organization-defined numbers for lifetime minimum, lifetime maximum;
  5. Prohibits password reuse for organization-defined number generations; and
  6. Allows the use of a temporary password for system logons with an immediate change to a permanent password.
Yes
ISO 27002:2013

A.9.4.3

NIST SP
800-53
IA-5

Password management system

Password management systems shall be interactive and shall ensure quality passwords.

Yes

ISO 27002:2013

A.9.4.4

NIST SP 800-53
AC-3,
AC-6

Use of privileged utility programs

The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

Yes

ISO 27017:2021

Where the use of utility programs is permitted, the cloud service customer should identify the utility programs to be used in its cloud computing environment, and ensure that they do not interfere with the controls of the cloud service.

Yes

ISO 27017:2021

The cloud service provider should identify the requirements for any utility programs used within the cloud service. The cloud service provider should ensure that any use of utility programs capable of bypassing normal operating or security procedures is strictly limited to authorized personnel, and that the use of such programs is reviewed and audited regularly.

Yes
NIST SP 800-53 AC-6(1) Least Privilege:
Authorize Access to Security Functions

Authorize access for organization-defined individuals or roles to:

  • organization-defined security functions (deployed in hardware, software, and firmware); and
  • organization-defined security-relevant information.
Yes
NIST SP 800-53 AC-6(2) Least Privilege: Non-privileged Access for Nonsecurity Functions Require that users of system accounts (or roles) with access to organization-defined security functions or security-relevant information use non-privileged accounts or roles, when accessing nonsecurity functions. Yes
NIST SP 800-53 AC-6(10) Least Privilege: Prohibit Non-privileged Users from Executing Privileged Functions Prevent non-privileged users from executing privileged functions. Yes
ISO 27002:2013

A.9.4.5

NIST SP
800-53

AC-3,
AC-6,
CM-5

Access control to program source code

Access to program source code shall be restricted.

Yes

CLD.9.5

Access control of cloud service customer data in shared virtual environment

ISO 27017:2021

CLD.9.5.1

Segregation in virtual computing environments

A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons.

[…]

Applies to provider only.

Yes

ISO 27017:2021

CLD.9.5.2

Virtual machine hardening

Virtual machines in a cloud computing environment should be hardened to meet business needs.

[…]

Applies to both customer and provider.

Yes

ISMAP

9.5.2.PB

When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened […], and that the appropriate technical measures are in place […] for each virtual machine used.

Yes

A.10

Cryptography

A.10.1

Cryptographic controls

ISO 27002:2013

A.10.1.1

NIST SP 800-53
SC-13

Policy on the use of cryptographic controls

A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

Yes

ISO 27017:2021

The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. […]

Yes

ISO 27017:2021

The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. […]

Yes

ISMAP 10.1.1.9.PB

The cloud service provider provides the cloud service customer with the capability to use cryptographic techniques to protect the information processed by the customer, or provides information about the environment in which the cryptographic techniques are used.

Yes

NIST SP 800-53 AC-17(2) Remote Access: Protection of Confidentiality and Integrity Using Encryption Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. Yes
NIST SP 800-53 AC-19(5) Access Control For Mobile Devices: Full Device or Container-based Encryption Employ full-device encryption, container-based encryption to protect the confidentiality and integrity of information on organization-defined mobile devices. Yes
NIST SP 800-53 MP-5(4) Media Transport: Cryptographic Protection The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. Yes
NIST SP 800-53 SC-8(1) Transmission Confidentiality And Integrity: Cryptographic Or Alternate Physical Protection The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. Yes

ISO 27002:2013

A.10.1.2

NIST SP 800-53
SC-12

Key management

A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle

Yes

ISO 27017:2021

The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management.

Yes

ISMAP

10.1.2.20.PB

The cloud service provider provides a cloud service customer with a function that allows said customer to manage cryptographic keys used to encrypt information managed by said customer, or provides information on how said customer manages cryptographic keys

Yes

A.11

Physical and environmental security

A.11.1

Secure areas

ISO 27002:2013

A.11.1.1

NIST SP
800-53
PE-3

Physical security perimeter

Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

Yes

ISO 27002:2013

A.11.1.2

NIST SP
800-53
PE-2,

PE-4,
PE-5,
PE-3

Physical entry controls

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

Yes

ISO 27002:2013

A.11.1.3

NIST SP
800-53
PE-5,
PE-3

Securing offices, rooms and facilities

Physical security for offices, rooms and facilities shall be designed and applied.

Yes

ISO 27002:2013

A.11.1.4

Protecting against external and environmental threats

Physical protection against natural disasters, malicious attack or accidents shall be designed and applied

Yes

ISO 27002:2013

A.11.1.5

Working in secure areas

Procedures for working in secure areas shall be designed and applied.

Yes

ISO 27002:2013

A.11.1.6

Delivery and loading areas

Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

Yes

NIST SP
800-53
PE-6 Monitoring Physical Access

The organization:

  1. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
  2. Reviews physical access logs organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and
  3. Coordinates results of reviews and investigations with the organizational incident response capability.

A.11.2

Equipment

ISO 27002:2013

A.11.2.1

Equipment siting and protection

Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Yes

ISO 27002:2013

A.11.2.2

Supporting utilities

Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

Yes

ISO 27002:2013

A.11.2.3

NIST SP 800-53
PE-4

Cabling security

Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.

Yes

ISO 27002:2013

A.11.2.4

NIST SP
800-53
MA-2

Equipment maintenance

Equipment shall be correctly maintained to ensure its continued availability and integrity.

Yes

NIST SP 800-53 MA-3 Maintenance Tools The organization approves, controls, and monitors information system maintenance tools. Yes
NIST SP
800-53
MA-3(1) Maintenance Tools: Inspect Tools The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. Yes
NIST SP
800-53
MA-3(2) Maintenance Tools:
Inspect Media
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. Yes
NIST SP
800-53
MA-4 Nonlocal Maintenance

The organization:

  1. Approves and monitors nonlocal maintenance and diagnostic activities;
  2. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
  3. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
  4. Maintains records for nonlocal maintenance and diagnostic activities; and
  5. Terminates session and network connections when nonlocal maintenance is completed.
Yes
NIST SP 800-53 MA-5 Maintenance Personnel

The organization:

  1. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
  2. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
  3. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.
Yes

ISO 27002:2013

A.11.2.5

NIST SP
800-53
MA-2,
MA-5

Removal of assets

Equipment, information or software shall not be taken off-site without prior authorization.

Yes

ISO 27002:2013

A.11.2.6

NIST SP
800-53
AC-19,
AC-20,
MP-5,
PE-17

Security of equipment and assets off-premises

Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

Yes

ISO 27002:2013

A.11.2.7

NIST SP
800-53
MP-6

Secure disposal or reuse of equipment

All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Yes

ISO 27017:2021

The cloud service customer should request confirmation that the cloud service provider has the policies and procedures for secure disposal or reuse of resources.

Yes

ISO 27017:2021

The cloud service provider should ensure that arrangements are made for the secure disposal or reuse of resources (e.g. equipment, data storage, files, memory) in a timely manner.

Yes

ISO 27002:2013

A.11.2.8

NIST SP
800-53
AC-11

Unattended user equipment

Users shall ensure that unattended equipment has appropriate protection.

Yes

ISO 27002:2013

A.11.2.9

NIST SP

800-53
AC-11,
MP-2,
MP-4

Clear desk and clear screen policy

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

Yes

NIST
SP
800-53
AC-11(1) Session Lock: Pattern-hiding Displays Conceal, via the device lock, information previously visible on the display with a publicly viewable image. Yes
NIST
SP
800-53
AC-12 Session Termination Automatically terminate a user session after organization-defined conditions, or trigger events requiring session disconnect. Yes

A.12

Operations security

A.12.1

Operational procedures and responsibilities

ISO 27002:2013

A.12.1.1

Documented operating procedures

Operating procedures shall be documented and made available to all users who need them.

Yes

ISO 27002:2013

A.12.1.2

NIST SP
800-53
CM-3,
CM-5

Change management

Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.

Yes

ISO 27017:2021

The cloud service customer's change management process should take into account the impact of any changes made by the cloud service provider.

Yes

ISO 27017:2021

The cloud service provider should provide the cloud service customer with information regarding changes to the cloud service that could adversely affect the cloud service. […]

Yes

ISMAP

12.1.2.11.PB

The cloud service provider provides cloud service customers with information about changes in cloud services that can adversely affect the information security of cloud service customers

Yes

NIST SP 800-53 CM-2 Baseline Configuration The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Yes
NIST SP
800-53
CM-6 Configuration Settings

The organization:

  1. Establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements;
  2. Implements the configuration settings;
  3. Identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and
  4. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Yes
NIST SP 800-53 CM-8(1) Configuration Management: Updates During Installations / Removals The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. Yes

ISO 27002:2013

A.12.1.3

Capacity management

The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Yes

ISO 27017:2021

The cloud service customer should ensure that the agreed capacity provided by the cloud service meets the cloud service customer's requirements. […]

Yes

ISO 27017:2021

The cloud service provider should monitor the total resource capacity to prevent information security incidents caused by resource shortages.

Yes

ISO 27002:2013

A.12.1.4

NIST SP
800-53
CM-5

Separation of development, testing and operational environment

Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

Yes

ISO 27017:2021

CLD.12.1.5

Administrator's operational security

Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored.

[…]

Customer: Document procedures for critical operations

Provider: Provide documentation about the critical operations

Yes

Yes

A.12.2

Protection from malware

ISO 27002:
2013

A.12.2.1

NIST SP
800-53
AT-2,
SI-3

Controls against malware

Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness

Yes

A.12.3

Backup

ISO 27002:2013

A.12.3.1

NIST SP
800-53
CP-9

Information backup

Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup

Yes

ISO 27017:2021

Where the cloud service provider provides backup capability as part of the cloud service, the cloud service customer should request the specifications of the backup capability from the cloud service provider. […]

Yes

ISO 27017:2021

The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. […]

Yes

A.12.4

Logging and monitoring

ISO 27002:2013

A.12.4.1

NIST SP 800-53
AU-3,
AU-6,
AU-11,
AU-12

Event logging

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

Yes

ISO 27017:2021

The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements.

Yes

ISO 27017:2021

The cloud service provider should provide logging capabilities to the cloud service customer.

Yes

NIST SP 800-53 AC-6(9) Least Privilege: Log Use of Privileged Functions Log the execution of privileged functions. Yes
NIST SP 800-53 AU-2 Audit Events

The organization:

  1. Determines that the information system is capable of auditing the following events: organization-defined auditable events;
  2. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
  3. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
  4. Determines that the following events are to be audited within the information system: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event.
Yes
NIST SP 800-53 AU-2(3) Audit Events: Reviews and Updates The information system generates audit records containing the following additional information: organization-defined additional, more detailed information. Yes
NIST SP 800-53 AU-3(1) Content of Audit Records: Additional Audit Information The information system generates audit records containing the following additional information: organization-defined additional, more detailed information. Yes
NIST SP 800-53 AU-5 Response To Audit Processing Failures

The information system:

  1. Alerts organization-defined personnel or roles in the event of an audit processing failure; and
  2. Takes the following additional actions: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).
Yes
NIST SP 800-53 AU-6(3) Audit Review, Analysis, And Reporting: Correlate Audit Repositories The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. Yes
NIST SP 800-53 AU-7 Audit Reduction And Report Generation

The information system provides an audit reduction and report generation capability that:

  1. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
  2. Does not alter the original content or time ordering of audit records.
Yes

ISO 27002:2013

A.12.4.2

NIST SP
800-53
AU-9

Protection of log information

Logging facilities and log information shall be protected against tampering and unauthorized access.

Yes

NIST SP 800-53 AU-9(4) Protection of Audit Information: Access By Subset of Privileged Users The organization authorizes access to management of audit functionality to only organization-defined subset of privileged users. Yes

ISO 27002:2013

A.12.4.3

NIST SP
800-53
AU-9,
AU-11

Administrator and operator logs

System administrator and system operator activities shall be logged, and the logs protected and regularly reviewed.

Yes

ISO 27017:2021 If a privileged operation is delegated to the cloud service customer, the operation and performance of those operations should be logged. […] Yes

ISO 27002:2013

A.12.4.4

NIST SP
800-53
AU-8

Clock synchronisation

The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.

Yes

ISO 27017:2021

The cloud service customer should request information about the clock synchronization used for the cloud service provider's systems.

Yes

ISO 27017:2021

The cloud service provider should provide information to the cloud service customer regarding the clock used by the cloud service provider's systems, and information about how the cloud service customer can synchronize local clocks with the cloud service clock.

Yes

NIST SP 800-53 AU-8(1)

Time Stamps:
Synchronization With Authoritative Time Source

The information system:

  1. Compares the internal information system clocks organization-defined frequency with organization-defined authoritative time source; and
  2. Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than organization-defined time period.
Yes
NIST SP
800-53
SI-4 Information System Monitoring

The organization:

  1. Monitors the information system to detect:
    1. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and
    2. Unauthorized local, network, and remote connections;
  2. Identifies unauthorized use of the information system through organization-defined techniques and methods;
  3. Deploys monitoring devices:
    1. Strategically within the information system to collect organization-determined essential information; and
    2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
  4. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
  5. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
  6. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
  7. Provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or by organization-defined frequency.
Yes
NIST SP 800-53 SI-4(4) Information System Monitoring: Inbound And Outbound Communication Traffic The information system monitors inbound and outbound communications traffic organization-defined frequency for unusual or unauthorized activities or conditions. Yes

ISO 27017:2021

CLD.12.4.5

Monitoring of Cloud Services

The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses.[…]

Customer: Request information from of the service monitoring capabilities

Provider: Provide capabilities

Yes

Yes

A.12.5 Control of operational software

ISO 27002:2013

A.12.5.1

NIST SP
800-53
CM-5,
CM-7,
CM-11

Installation of software on operational systems

Procedures shall be implemented to control the installation of software on operational systems.

Yes

A.12.6

Technical vulnerability management

ISO 27002:2013

A.12.6.1

NIST SP
800-53
RA-3,
RA-5,
SI-2

Management of technical vulnerabilities

Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

Yes

ISO 27017:2021

The cloud service customer should request information from the cloud service provider about the management of technical vulnerabilities that can affect the cloud services provided.

Yes

ISO 27017:2021

The cloud service provider should make available to the cloud service customer information about the management of technical vulnerabilities that can affect the cloud services provided.

Yes

NIST SP 800-53 RA-5(1) Vulnerability Scanning: Update Tool Capacity The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. Yes

ISO 27002:2013

A.12.6.2

NIST SP
800-53
CM-11

Restrictions on software installation

Rules governing the installation of software by users shall be established and implemented.

Yes

NIST SP 800-53 CM-7(1) Least Functionality: Periodic Review

The organization:

  1. Reviews the information system organization-defined frequency to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  2. Disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
Yes
NIST SP 800-53 CM-7(2) Least Functionality: Prevent Program Execution The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions or rules authorizing the terms and conditions of software program usage. Yes
NIST SP 800-53 CM-7(4) Least Functionality: Unauthorized Software / Blacklisting

The organization:

  1. Identifies organization-defined software programs not authorized to execute on the information system;
  2. Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
Reviews and updates the list of unauthorized software programs organization-defined frequency.
Yes
NIST SP 800-53 CM-7(5) Least Functionality: Authorized Software / Whitelisting

The organization:

  1. Identifies organization-defined software programs authorized to execute on the information system;
  2. Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
  3. Reviews and updates the list of authorized software programs organization-defined frequency.
Yes
NIST SP 800-53 SC-18 Mobile Code

The organization:

  1. Defines acceptable and unacceptable mobile code and mobile code technologies;
  2. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
  3. Authorizes, monitors, and controls the use of mobile code within the information system.
Yes

A.12.7

Information systems audit considerations

ISO 27002:2013

A.12.7.1

Information systems audit controls

Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business

Yes

A.13

Communications security

A.13.1

Network security management

ISO 27002:2013

A.13.1.1

NIST SP
800-53
AC-3,
AC-17,
AC-18,
AC-20,

SC-7,
SC-8,
SC-10

Network controls

Networks shall be managed and controlled to protect information in systems and applications.

Yes

ISO 27002:2013

A.13.1.2

Security of network services

Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.

Yes

ISO 27002:2013

A.13.1.3

NIST SP
800-53
AC-4,
SC-7

Segregation in networks

Groups of information services, users and information systems shall be segregated on networks.

Yes

ISO 27017:2021

The cloud service customer should define its requirements for segregating networks to achieve tenant isolation in the shared environment of a cloud service and verify that the cloud service provider meets those requirements.

Yes

ISO 27017:2021

The cloud service provider should enforce segregation of network access for the following cases: […]

Yes

ISO 27017:2021

CLD.13.1.4

Alignment of security management for virtual and physical networks

Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy.

No

NIST SP 800-53 AC-17(3) Remote Access: Managed Access Control Points Route remote accesses through authorized and managed network access control points. Yes
NIST SP 800-53 IA-3 Device Identification And Authentication The information system uniquely identifies and authenticates organization-defined specific and/or types of devices before establishing a local; remote; network connection. Yes
NIST SP 800-53 SC-7(5) Boundary Protection: Deny By Default / Allow By Exception The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). Yes
NIST SP
800-53
SC-7(7) Boundary Protection: Prevent Split Tunneling For Remote Devices The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communication via some other connection to resources in external networks. Yes

A.13.2

Information transfer

ISO 27002:2013

A.13.2.1

NIST SP
800-53
AC-4,
AC-17,
AC-18,
AC-19,
AC-20,
PE-17,
SC-7,
SC-8,
SC-15

Information transfer policies and procedures

Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

Yes

ISO 27002:2013

A.13.2.2

Agreements on information transfer

Agreements shall address the secure transfer of business information between the organization and external parties.

Yes

ISO 27002:2013

A.13.2.3

NIST SP 800-53
SC-8

Electronic messaging

Information involved in electronic messaging shall be appropriately protected.

Yes

NIST SP 800-53 SC-19 Voice Over Internet Protocol

The organization:

  1. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and
Authorizes, monitors, and controls the use of VoIP within the information system.
Yes

ISO 27002:2013

A.13.2.4

Confidentiality or nondisclosure agreements

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.

Yes

A.14

System acquisition, development and maintenance

A.14.1

Security requirements of information systems

ISO 27002:2013

A.14.1.1

Information security requirements analysis and specification

The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.

Yes

ISO 27017:2021

The cloud service customer should determine its information security requirements for the cloud service and then evaluate whether services offered by a cloud service provider can meet these requirements. […]

Yes

ISO 27017:2021

The cloud service provider should provide information to the cloud service customers about the information security capabilities they use. […]

Yes

ISO 27002:2013

A.14.1.2

NIST SP
800-53
AC-3,
AC-4,
AC-17,
SC-8,
SC-13

Securing application services on public networks

Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

Yes

ISO 27002:2013

A.14.1.3

NIST SP 800-53
AC-3,
AC-4,

SC-7,
SC-8,
SC-13

Protecting application services transactions

Information involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Yes

A.14.2

Security in development and support processes

ISO 27002:2013

A.14.2.1

Secure development policy

Rules for the development of software and systems shall be established and applied to developments within the organization.

Yes

ISO 27017:2021

The cloud service customer should request information from the cloud service provider about the cloud service provider's use of secure development procedures and practices

Yes

ISO 27017:2021

The cloud service provider should provide information about its use of secure development procedures and practices to the extent compatible with its policy for disclosure.

Yes

ISO 27002:2013

A.14.2.2

NIST SP 800-53
CM-3,
SI-2

System change control procedures

Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

Yes

ISO 27002:2013

A.14.2.3

NIST SP 800-53
CM-3,

CM-4,
SI-2

Technical review of applications after operating platform changes

When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

Yes

ISO 27002:2013

A.14.2.4

NIST SP
800-53
CM-3

Restrictions on changes to software packages

Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.

Yes

ISO 27002:2013

A.14.2.5

NIST SP
800-53
SA-8

Secure system engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

Yes

ISO 27002:2013

A.14.2.6

Secure development environment

Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

Yes

ISO 27002:2013

A.14.2.7

Outsourced development

The organization shall supervise and monitor the activity of outsourced system development.

Yes

ISO 27002:2013

A.14.2.8

NIST SP
800-53
CA-2

System security testing

Testing of security functionality shall be carried out during development.

Yes

ISO 27002:2013

A.14.2.9

System acceptance testing

Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

Yes

A.14.3

Test data

ISO 27002:2013

A.14.3.1

Protection of test data

Test data shall be selected carefully, protected and controlled.

Yes

A.15

Supplier relationships

A.15.1

Information security in supplier relationships

ISO 27002:2013

A.15.1.1

Information security policy for supplier relationships

Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.

Yes

ISO 27017:2021

The cloud service customer should include the cloud service provider as a type of supplier in its information security policy for supplier relationships. This will help to mitigate risks associated with the cloud service provider's access to and management of the cloud service customer data.

Yes

ISMAP

15.1.1.16.B

The cloud service provider evaluates the risk of information handled in the service provided by the cloud service provider being accessed or processed without the cloud service customer's intention as a result of the application of laws other than domestic laws to the information handled. Based on this evaluation, the cloud service provider selects an external contractor and, if necessary, specify the location where the contracted work will be performed and the governing law and jurisdiction as stipulated in the contract.

Yes

ISO 27002:2013

A.15.1.2

Addressing security within supplier agreements

All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information.

Yes

ISO 27017:2021

The cloud service customer should confirm the information security roles and responsibilities relating to the cloud service, as described in the service agreement. […]

Yes

ISO 27017:2021

The cloud service provider should specify as part of an agreement the relevant information security measures that the cloud service provider will implement to ensure no misunderstanding between the cloud service provider and cloud service customer. […]

Yes

ISMAP

15.1.2.18.PB

The cloud service provider defines, as part of the agreement, appropriate information security measures to be implemented by the cloud service provider to avoid misunderstandings between the cloud service provider and cloud service customers.

Yes

NIST SP 800-53 AC-20(1) Use of External Information Systems: Limits on Authorized Use

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

  1. Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
Yes

ISO 27002:2013

A.15.1.3

Information and communication technology supply chain

Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain.

Yes

ISO 27017:2021

If a cloud service provider uses cloud services of peer cloud service providers, the cloud service provider should ensure information security levels to its own cloud service customers are maintained or exceeded. […]

Yes

A.15.2

Supplier service delivery management

ISO 27002:2013

A.15.2.1

Monitoring and review of supplier services

Organizations shall regularly monitor, review and audit supplier service delivery.

Yes

ISO 27002:2013

A.15.2.2

Managing changes to supplier services

Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.

Yes

A.16

Information security incident management

A.16.1

Management of information security incidents and improvements

ISO 27002:2013

A.16.1.1

Responsibilities and procedures

Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents.

Yes

ISO 27017:2021

The cloud service customer should verify the allocation of responsibilities for information security incident management and should ensure that it meets the requirements of the cloud service customer.

Yes

ISO 27017:2021

As a part of the service specifications, the cloud service provider should define the allocation of information security incident management responsibilities and procedures between the cloud service customer and the cloud service provider.[…]

Yes

ISO 27002:2013

A.16.1.2

NIST SP 800-53
AU-6,
IR-6

Reporting information security events

Information security events shall be reported through appropriate management channels as quickly as possible.

Yes

ISO 27017:2021

The cloud service customer should request information from the cloud service provider about the mechanisms for: […]

Yes

ISO 27017:2021

The cloud service provider should provide mechanisms for: […]

Yes

ISO 27002:2013

A.16.1.3

NIST SP
800-53
SI-2

Reporting information security weaknesses

Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services.

Yes

ISO 27002:2013

A.16.1.4

NIST SP
800-53
AU-6,
IR-4,
SI-5

Assessment of and decision on information security events

Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents.

Yes

ISO 27002:2013

A.16.1.5

NIST SP
800-53
IR-4

Response to information security incidents

Information security incidents shall be responded to in accordance with the documented procedures.

Yes

ISO 27002:2013

A.16.1.6

NIST SP
800-53
IR-4

Learning from information security incidents

Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents.

Yes

NIST SP 800-53 IR-5 Incident Monitoring The organization tracks and documents information system security incidents. Yes

ISO 27002:2013

A.16.1.7

NIST SP
800-53
AU-12

Collection of evidence

The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.

Yes

ISO 27017:2021

Cloud service customer: The cloud service customer and the cloud service provider should agree upon the procedures to respond to requests for potential digital evidence or other information from within the cloud computing environment.

Yes

ISO 27017:2021

Cloud service provider: The cloud service customer and the cloud service provider should agree upon the procedures to respond to requests for potential digital evidence or other information from within the cloud computing environment.

Yes

NIST SP 800-53 IR-7 Incident Response Assistance The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. Yes
NIST SP 800-53 IR-3 Incident Response Testing The organization tests the incident response capability for the information system organization-defined frequency using organization-defined tests to determine the incident response effectiveness and documents the results. Yes

A.17

Information security aspects of business continuity management

A.17.1

Information security continuity

ISO 27002:2013

A.17.1.1

Planning information security continuity

The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster.

Yes

ISO 27002:2013

A.17.1.2

NIST SP 800-53
CP-9

Implementing information security continuity

The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation.

Yes

ISO 27002:2013

A.17.1.3

Verify, review and evaluate information security continuity

The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations.

Yes

NIST SP 800-53 CA-5 Plan Of Action And Milestones

The organization:

  1. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and
  2. Updates existing plan of action and milestones organization-defined frequency based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.
Yes
NIST SP 800-53 CA-7 Continuous Monitoring

The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:

  1. Establishment of organization-defined metrics to be monitored;
  2. Establishment of organization-defined frequencies for monitoring and organization-defined frequencies for assessments supporting such monitoring;
  3. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
  4. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
  5. Correlation and analysis of security-related information generated by assessments and monitoring;
  6. Response actions to address results of the analysis of security-related information; and
  7. Reporting the security status of organization and the information system to organization-defined personnel or roles organization-defined frequency.
Yes

A.17.2

Redundancies

ISO 27002:2013

A.17.2.1

Availability of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Yes

A.18

Compliance

A.18.1

Compliance with legal and contractual requirements

ISO 27002:2013

A.18.1.1

Identification of applicable legislation and contractual requirements

All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization.

Yes

ISO 27017:2021

The cloud service customer should consider the issue that relevant laws and regulations can be those of jurisdictions governing the cloud service provider, in addition to those governing the cloud service customer. […]

Yes

ISO 27017:2021

The cloud service provider should inform the cloud service customer of the legal jurisdictions governing the cloud service.

Yes

ISO 27002:2013

A.18.1.2

Intellectual property rights

Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

Yes

ISO 27017:2021

Installing commercially licensed software in a cloud service can cause a breach of the license terms for the software. […]

Yes

ISO 27017:2021

The cloud service provider should establish a process for responding to intellectual property rights complaints.

Yes

ISO 27002:2013

A.18.1.3

NIST SP
800-53
AC-3,
AU-9
CP-9

Protection of records

Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

Yes

ISO 27017:2021

The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service customer.

Yes

ISO 27017:2021

The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer.

Yes

ISO 27002:2013

A.18.1.4

Privacy and protection of personally identifiable information

Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.

Yes

ISO 27002:2013

A.18.1.5

NIST SP 800-53
SC-13

Regulation of cryptographic controls

Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations.

Yes

ISO 27017:2021

The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations.

Yes

ISO 27017:2021

The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations.

Yes

A.18.2

Information security reviews

ISO 27002:2013

A.18.2.1

Independent review of information security

The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur.

Yes

ISO 27017:2021

The cloud service customer should request documented evidence that the implementation of information security controls and guidelines for the cloud service is in line with any claims made by the cloud service provider.

Yes

ISO 27017:2021

The cloud service provider should provide documented evidence to the cloud service customer to substantiate its claim of implementing information security controls. […]

Yes

ISO 27002:2013

A.18.2.2

NIST SP 800-53
CA-2

Compliance with security policies and standards

Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements.

Yes

ISO 27002:2013

A.18.2.3

NIST SP
800-53
CA-2

Technical compliance review

Information systems shall be regularly reviewed for compliance with the organization’s security policies and standards

Yes

SOC 2 report

The SOC 2 report can be shared with interested parties upon request. Please contact Viedoc's QA department at audit@viedoc.com to submit a request.