Information Security
Introduction
Viedoc Technologies have implemented a risk-based Information Security Management System (ISMS) that facilitates a structured and continuous approach to information security. Our ISMS covers all activities and sites company-wide and is certified according to ISO 27001 with all Annex A controls included in our scope of applicability.
Download the certificate

Security Controls Statement of Applicability v4
Source |
# |
Subject |
Control |
Applicable |
A.5 |
Information security policies |
|||
A.5.1 |
Management direction for information security |
|||
ISO 27002:2013 |
A.5.1.1 |
Policies for information security |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
Yes |
ISO 27017:2021 | An information security policy for cloud computing should be defined as a topic-specific policy of the cloud service customer. […] | Yes | ||
ISO 27017:2021 | The cloud service provider should augment its information security policy to address the provision and use of its cloud services, […] | Yes | ||
ISO 27002:2013 |
A.5.1.2 |
Review of the policies for information security |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. |
Yes |
A.6 |
Organization of information security |
|||
A.6.1 |
Internal organization |
|||
ISO 27002:2013 |
A.6.1.1 |
Information security roles and responsibilities |
All information security responsibilities shall be defined and allocated. |
Yes |
ISO 27017:2021 |
The cloud service customer should agree with the cloud service provider on an appropriate allocation of information security roles and responsibilities and confirm that it can fulfil its allocated roles and responsibilities. […] | Yes | ||
ISO 27017:2021 |
The cloud service provider should agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers and its suppliers. | Yes | ||
ISO 27002:2013 |
A.6.1.2 |
Segregation of duties |
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. |
Yes |
ISO 27002:2013 |
A.6.1.3 |
Contact with authorities |
Appropriate contacts with relevant authorities shall be maintained |
Yes |
ISO 27017:2021 |
The cloud service customer should identify the authorities relevant to the combined operation of the cloud service customer and the cloud service provider. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should inform the cloud service customer of the geographical locations of the cloud service provider's organization and the countries where the cloud service provider can store the cloud service customer data. |
Yes |
||
ISO 27002:2013 |
A.6.1.4 |
Contact with special interest groups |
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. |
Yes |
ISO 27002:2013 |
A.6.1.5 |
Information security in project management |
Information security shall be addressed in project management, regardless of the type of the project. |
Yes |
A.6.2 |
Mobile devices and teleworking |
|||
ISO 27002:2013 |
A.6.2.1 |
Mobile device policy |
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices |
Yes |
ISO 27002:2013 |
A.6.2.2 |
Teleworking |
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. |
Yes |
CLD.6.3 |
Relationship between cloud service customer and cloud service provider |
|||
ISO 27017:2021 |
CLD.6.3.1 |
Shared roles and responsibilities within a cloud computing environment |
Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider. […] Customer: Define procedure/policy and inform Provider: Document/communicate capabilities/roles/responsibilities |
Yes |
Yes | ||||
A.7 |
Human resource security |
|||
A.7.1 |
Prior to employment |
|||
ISO 27002:2013 |
A.7.1.1 |
Screening |
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
Yes |
ISO 27002:2013 |
A.7.1.2 |
Terms and conditions of employment |
The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. |
Yes |
A.7.2 |
During employment |
|||
ISO 27002:2013 |
A.7.2.1 |
Management responsibilities |
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
Yes |
ISO 27002:2013 |
A.7.2.2 |
Information security awareness, education and training |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. |
Yes |
ISO 27017:2021 |
The cloud service customer should add the following items to awareness, education and training programmes for cloud service business managers, cloud service administrators, cloud service integrators and cloud service users, including relevant employees and contractors: […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide awareness, education and training for employees, and request contractors to do the same, concerning the appropriate handling of cloud service customer data and cloud service derived data. […] |
Yes |
||
ISMAP |
7.2.2.19.PB |
Cloud service providers provide education and training to raise awareness among employees regarding the proper handling of cloud service customer data and cloud service derived data, and require contract parties to do the same. |
Yes |
|
ISO 27002:2013 |
A.7.2.3 |
Disciplinary process |
There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. |
Yes |
A.7.3 |
Termination and change of employment |
|||
ISO 27002:2013 |
A.7.3.1 |
Termination or change of employment responsibilities |
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. |
Yes |
A.8 |
Asset management |
|||
A.8.1 |
Responsibility for assets |
|||
ISO 27002:2013 |
A.8.1.1 |
Inventory of assets |
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. |
Yes |
ISO 27017:2021 |
The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g. identification of the cloud service. |
Yes | ||
ISO 27017:2021 |
The inventory of assets of the cloud service provider should explicitly identify: –cloud service customer data; –cloud service derived data. |
Yes | ||
ISO 27002:2013 |
A.8.1.2 |
Ownership of assets |
Assets maintained in the inventory shall be owned. |
Yes |
ISMAP |
8.1.2.7.PB |
The cloud service provider provides the cloud service customer with one of the following to manage the assets (including backups) of such customer.
|
Yes | |
ISO 27002:2013 |
A.8.1.3 |
Acceptable use of assets |
Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. |
Yes |
ISO 27002:2013 |
A.8.1.4 |
Return of assets |
All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. |
Yes |
ISO 27017:2021 |
CLD.8.1.5 |
Removal of cloud service customer assets |
Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. […] Customer: Request a documented description of the termination Provider: Provide information about the arrangements for the return |
Yes |
Yes | ||||
A.8.2 |
Information classification |
|||
ISO 27002:2013 |
A.8.2.1 |
Classification of information |
Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. |
Yes |
ISO 27002:2013 |
A.8.2.2 |
Labelling of information |
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
Yes |
ISO 27017:2021 |
The cloud service customer should label information and associated assets maintained in the cloud computing environment in accordance with the cloud service customer's adopted procedures for labelling. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should document and disclose any service functionality it provides allowing cloud service customers to classify and label their information and associated assets. |
Yes |
||
ISMAP |
8.2.2.7.PB |
The cloud service provider documents and discloses the service functions that allow cloud service customers to classify and label the information and related assets handled by the cloud service providers. |
Yes |
|
ISO 27002:2013 |
A.8.2.3 |
Handling of assets |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization |
Yes |
A.8.3 |
Media handling |
|||
ISO 27002:2013 |
A.8.3.1 |
Management of removable media |
Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. |
Yes |
ISO 27002:2013 |
A.8.3.2 |
Disposal of media |
Media shall be disposed of securely when no longer required, using formal procedures. |
Yes |
ISO 27002:2013 |
A.8.3.3 |
Physical media transfer |
Media containing information shall be protected against unauthorized access, misuse or corruption during transportation |
Yes |
A.9 |
Access control |
|||
A.9.1 |
Business requirements of access control |
|||
ISO 27002:2013 |
A.9.1.1 |
Access control policy |
An access control policy shall be established, documented and reviewed based on business and information security requirements. |
Yes |
ISO 27002:2013 |
A.9.1.2 |
Access to networks and network services |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
Yes |
ISO 27017:2021 |
The cloud service customer's access control policy for the use of network services should specify requirements for user access to each separate cloud service that is used. | Yes | ||
A.9.2 |
User access management |
|||
ISO 27002:2013 |
A.9.2.1 |
User registration and de-registration |
A formal user registration and de-registration process shall be implemented to enable assignment of access rights. |
Yes |
ISO 27017:2021 |
To manage access to cloud services by a cloud service customer's cloud service users, the cloud service provider should provide user registration and deregistration functions, and specifications for the use of these functions to the cloud service customer. |
Yes | ||
ISO 27002:2013 |
A.9.2.2 |
User access provisioning |
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services |
Yes |
ISO 27017:2021 |
The cloud service provider should provide functions for managing the access rights of the cloud service customer's cloud service users, and specifications for the use of these functions. |
Yes |
||
ISO 27002:2013 |
A.9.2.3 |
Management of privileged access rights |
The allocation and use of privileged access rights shall be restricted and controlled. |
Yes |
ISO 27017:2021 | The cloud service customer should use sufficient authentication techniques (e.g.,multi-factor authentication) for authenticating the cloud service administrators of the cloud service customer to the administrative capabilities of a cloud service according to the identified risks. | Yes | ||
ISO 27017:2021 | The cloud service provider should provide sufficient authentication techniques for authenticating the cloud service administrators of the cloud service customer to the administrative capabilities of a cloud service, according to the identified risks. | Yes | ||
ISMAP | 9.2.3.11.PB |
Depending on the identified risks, cloud service providers provide sufficiently strong authentication technologies for administrator authentication of cloud service customers that are tailored to the management capabilities of the cloud service |
Yes | |
ISO 27002:2013 |
A.9.2.4 |
Management of secret authentication information of users |
The allocation of secret authentication information shall be controlled through a formal management process. |
Yes |
ISO 27017:2021 | The cloud service customer should verify that the cloud service provider's management procedure for allocating secret authentication information, such as passwords, meets the cloud service customer's requirements. | Yes | ||
ISO 27017:2021 | The cloud service provider should provide information on procedures for the management of the secret authentication information of the cloud service customer, including the procedures for allocating such information and for user authentication. | Yes | ||
ISO 27002:2013 |
A.9.2.5 |
Review of user access rights |
Asset owners shall review users’ access rights at regular intervals. |
Yes |
ISO 27002:2013 |
A.9.2.6 |
Removal or adjustment of access rights |
The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. |
Yes |
A.9.3 |
User responsibilities |
|||
ISO 27002:2013 |
A.9.3.1 |
Use of secret authentication information |
Users shall be required to follow the organization’s practices in the use of secret authentication information |
Yes |
A.9.4 |
System and application access control |
|||
ISO 27002:2013 |
A.9.4.1 |
Information access restriction |
Access to information and application system functions shall be restricted in accordance with the access control policy. |
Yes |
ISO 27017:2021 |
The cloud service customer should ensure that access to information in the cloud service can be restricted in accordance with its access control policy and that such restrictions are realized. This includes restricting access to cloud services, cloud service functions, and cloud service customer data maintained in the service. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide access controls that allow the cloud service customer to restrict access to its cloud services, its cloud service functions and the cloud service customer data maintained in the service. |
Yes |
||
ISO 27002:2013 |
A.9.4.2 |
Secure log-on procedures |
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. |
Yes |
ISO 27002:2013 |
A.9.4.3 |
Password management system |
Password management systems shall be interactive and shall ensure quality passwords. |
Yes |
ISO 27002:2013 |
A.9.4.4 |
Use of privileged utility programs |
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. |
Yes |
ISO 27017:2021 |
Where the use of utility programs is permitted, the cloud service customer should identify the utility programs to be used in its cloud computing environment, and ensure that they do not interfere with the controls of the cloud service. |
Yes | ||
ISO 27017:2021 |
The cloud service provider should identify the requirements for any utility programs used within the cloud service. The cloud service provider should ensure that any use of utility programs capable of bypassing normal operating or security procedures is strictly limited to authorized personnel, and that the use of such programs is reviewed and audited regularly. |
Yes | ||
ISO 27002:2013 |
A.9.4.5 |
Access control to program source code |
Access to program source code shall be restricted. |
Yes |
CLD.9.5 |
Access control of cloud service customer data in shared virtual environment |
|||
ISO 27017:2021 |
CLD.9.5.1 |
Segregation in virtual computing environments |
A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons. […] Applies to provider only. |
Yes |
ISO 27017:2021 |
CLD.9.5.2 |
Virtual machine hardening |
Virtual machines in a cloud computing environment should be hardened to meet business needs. […] Applies to both customer and provider. |
Yes |
ISMAP |
9.5.2.PB |
When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened […], and that the appropriate technical measures are in place […] for each virtual machine used. |
Yes | |
A.10 |
Cryptography |
|||
A.10.1 |
Cryptographic controls |
|||
ISO 27002:2013 |
A.10.1.1 |
Policy on the use of cryptographic controls |
A policy on the use of cryptographic controls for protection of information shall be developed and implemented. |
Yes |
ISO 27017:2021 |
The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. […] |
Yes |
||
ISMAP | 10.1.1.9.PB |
The cloud service provider provides the cloud service customer with the capability to use cryptographic techniques to protect the information processed by the customer, or provides information about the environment in which the cryptographic techniques are used. |
Yes |
|
ISO 27002:2013 |
A.10.1.2 |
Key management |
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle |
Yes |
ISO 27017:2021 |
The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management. |
Yes |
||
ISMAP |
10.1.2.20.PB |
The cloud service provider provides a cloud service customer with a function that allows said customer to manage cryptographic keys used to encrypt information managed by said customer, or provides information on how said customer manages cryptographic keys |
Yes |
|
A.11 |
Physical and environmental security |
|||
A.11.1 |
Secure areas |
|||
ISO 27002:2013 |
A.11.1.1 |
Physical security perimeter |
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. |
Yes |
ISO 27002:2013 |
A.11.1.2 |
Physical entry controls |
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. |
Yes |
ISO 27002:2013 |
A.11.1.3 |
Securing offices, rooms and facilities |
Physical security for offices, rooms and facilities shall be designed and applied. |
Yes |
ISO 27002:2013 |
A.11.1.4 |
Protecting against external and environmental threats |
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied |
Yes |
ISO 27002:2013 |
A.11.1.5 |
Working in secure areas |
Procedures for working in secure areas shall be designed and applied. |
Yes |
ISO 27002:2013 |
A.11.1.6 |
Delivery and loading areas |
Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
|
Yes |
A.11.2 |
Equipment |
|||
ISO 27002:2013 |
A.11.2.1 |
Equipment siting and protection |
Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. |
Yes |
ISO 27002:2013 |
A.11.2.2 |
Supporting utilities |
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. |
Yes |
ISO 27002:2013 |
A.11.2.3 |
Cabling security |
Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. |
Yes |
ISO 27002:2013 |
A.11.2.4 |
Equipment maintenance |
Equipment shall be correctly maintained to ensure its continued availability and integrity. |
Yes |
ISO 27002:2013 |
A.11.2.5 |
Removal of assets |
Equipment, information or software shall not be taken off-site without prior authorization. |
Yes |
ISO 27002:2013 |
A.11.2.6 |
Security of equipment and assets off-premises |
Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. |
Yes |
ISO 27002:2013 |
A.11.2.7 |
Secure disposal or reuse of equipment |
All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. |
Yes |
ISO 27017:2021 |
The cloud service customer should request confirmation that the cloud service provider has the policies and procedures for secure disposal or reuse of resources. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should ensure that arrangements are made for the secure disposal or reuse of resources (e.g. equipment, data storage, files, memory) in a timely manner. |
Yes |
||
ISO 27002:2013 |
A.11.2.8 |
Unattended user equipment |
Users shall ensure that unattended equipment has appropriate protection. |
Yes |
ISO 27002:2013 |
A.11.2.9 |
Clear desk and clear screen policy |
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. |
Yes |
A.12 |
Operations security |
|||
A.12.1 |
Operational procedures and responsibilities |
|||
ISO 27002:2013 |
A.12.1.1 |
Documented operating procedures |
Operating procedures shall be documented and made available to all users who need them. |
Yes |
ISO 27002:2013 |
A.12.1.2 |
Change management |
Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
Yes |
ISO 27017:2021 |
The cloud service customer's change management process should take into account the impact of any changes made by the cloud service provider. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide the cloud service customer with information regarding changes to the cloud service that could adversely affect the cloud service. […] |
Yes |
||
ISMAP |
12.1.2.11.PB |
The cloud service provider provides cloud service customers with information about changes in cloud services that can adversely affect the information security of cloud service customers |
Yes |
|
ISO 27002:2013 |
A.12.1.3 |
Capacity management |
The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. |
Yes |
ISO 27017:2021 |
The cloud service customer should ensure that the agreed capacity provided by the cloud service meets the cloud service customer's requirements. […] |
Yes | ||
ISO 27017:2021 |
The cloud service provider should monitor the total resource capacity to prevent information security incidents caused by resource shortages. |
Yes | ||
ISO 27002:2013 |
A.12.1.4 |
Separation of development, testing and operational environment |
Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. |
Yes |
ISO 27017:2021 |
CLD.12.1.5 |
Administrator's operational security |
Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. […] Customer: Document procedures for critical operations Provider: Provide documentation about the critical operations |
Yes |
Yes | ||||
A.12.2 |
Protection from malware |
|||
A.12.2.1 |
Controls against malware |
Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness |
Yes |
|
A.12.3 |
Backup |
|||
ISO 27002:2013 |
A.12.3.1 |
Information backup |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup
|
Yes |
ISO 27017:2021 |
Where the cloud service provider provides backup capability as part of the cloud service, the cloud service customer should request the specifications of the backup capability from the cloud service provider. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. […] |
Yes |
||
A.12.4 |
Logging and monitoring |
|||
ISO 27002:2013 |
A.12.4.1 |
Event logging |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
Yes |
ISO 27017:2021 |
The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide logging capabilities to the cloud service customer. |
Yes |
||
ISO 27002:2013 |
A.12.4.2 |
Protection of log information |
Logging facilities and log information shall be protected against tampering and unauthorized access. |
Yes |
ISO 27002:2013 |
A.12.4.3 |
Administrator and operator logs |
System administrator and system operator activities shall be logged, and the logs protected and regularly reviewed. |
Yes |
ISO 27017:2021 | If a privileged operation is delegated to the cloud service customer, the operation and performance of those operations should be logged. […] | Yes | ||
ISO 27002:2013 |
A.12.4.4
|
Clock synchronisation |
The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information about the clock synchronization used for the cloud service provider's systems. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information to the cloud service customer regarding the clock used by the cloud service provider's systems, and information about how the cloud service customer can synchronize local clocks with the cloud service clock. |
Yes |
||
ISO 27017:2021 |
CLD.12.4.5 |
Monitoring of Cloud Services |
The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses.[…] Customer: Request information from of the service monitoring capabilities Provider: Provide capabilities |
Yes |
Yes |
||||
A.12.5 | Control of operational software | |||
ISO 27002:2013 |
A.12.5.1 |
Installation of software on operational systems |
Procedures shall be implemented to control the installation of software on operational systems. |
Yes |
A.12.6 |
Technical vulnerability management |
|||
ISO 27002:2013 |
A.12.6.1 |
Management of technical vulnerabilities |
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information from the cloud service provider about the management of technical vulnerabilities that can affect the cloud services provided. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should make available to the cloud service customer information about the management of technical vulnerabilities that can affect the cloud services provided. |
Yes |
||
ISO 27002:2013 |
A.12.6.2 |
Restrictions on software installation |
Rules governing the installation of software by users shall be established and implemented. |
Yes |
A.12.7 |
Information systems audit considerations |
|||
ISO 27002:2013 |
A.12.7.1 |
Information systems audit controls |
Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business |
Yes |
A.13 |
Communications security |
|||
A.13.1 |
Network security management |
|||
ISO 27002:2013 |
A.13.1.1 |
Network controls |
Networks shall be managed and controlled to protect information in systems and applications. |
Yes |
ISO 27002:2013 |
A.13.1.2 |
Security of network services |
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
Yes |
ISO 27002:2013 |
A.13.1.3 |
Segregation in networks |
Groups of information services, users and information systems shall be segregated on networks. |
Yes |
ISO 27017:2021 |
The cloud service customer should define its requirements for segregating networks to achieve tenant isolation in the shared environment of a cloud service and verify that the cloud service provider meets those requirements. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should enforce segregation of network access for the following cases: […] |
Yes |
||
ISO 27017:2021 |
CLD.13.1.4 |
Alignment of security management for virtual and physical networks |
Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. |
No |
A.13.2 |
Information transfer |
|||
ISO 27002:2013 |
A.13.2.1 |
Information transfer policies and procedures |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
Yes |
ISO 27002:2013 |
A.13.2.2 |
Agreements on information transfer |
Agreements shall address the secure transfer of business information between the organization and external parties. |
Yes |
ISO 27002:2013 |
A.13.2.3 |
Electronic messaging |
Information involved in electronic messaging shall be appropriately protected. |
Yes |
ISO 27002:2013 |
A.13.2.4 |
Confidentiality or nondisclosure agreements |
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. |
Yes |
A.14 |
System acquisition, development and maintenance |
|||
A.14.1 |
Security requirements of information systems |
|||
ISO 27002:2013 |
A.14.1.1 |
Information security requirements analysis and specification |
The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. |
Yes |
ISO 27017:2021 |
The cloud service customer should determine its information security requirements for the cloud service and then evaluate whether services offered by a cloud service provider can meet these requirements. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information to the cloud service customers about the information security capabilities they use. […] |
Yes |
||
ISO 27002:2013 |
A.14.1.2 |
Securing application services on public networks |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
Yes |
ISO 27002:2013 |
A.14.1.3 |
Protecting application services transactions |
Information involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
Yes |
A.14.2 |
Security in development and support processes |
|||
ISO 27002:2013 |
A.14.2.1 |
Secure development policy |
Rules for the development of software and systems shall be established and applied to developments within the organization. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information from the cloud service provider about the cloud service provider's use of secure development procedures and practices |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information about its use of secure development procedures and practices to the extent compatible with its policy for disclosure. |
Yes |
||
ISO 27002:2013 |
A.14.2.2 |
System change control procedures |
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
Yes |
ISO 27002:2013 |
A.14.2.3 |
Technical review of applications after operating platform changes |
When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. |
Yes |
ISO 27002:2013 |
A.14.2.4 |
Restrictions on changes to software packages |
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. |
Yes |
ISO 27002:2013 |
A.14.2.5 |
Secure system engineering principles |
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. |
Yes |
ISO 27002:2013 |
A.14.2.6 |
Secure development environment |
Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. |
Yes |
ISO 27002:2013 |
A.14.2.7 |
Outsourced development |
The organization shall supervise and monitor the activity of outsourced system development. |
Yes |
ISO 27002:2013 |
A.14.2.8 |
System security testing |
Testing of security functionality shall be carried out during development. |
Yes |
ISO 27002:2013 |
A.14.2.9 |
System acceptance testing |
Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. |
Yes |
A.14.3 |
Test data |
|||
ISO 27002:2013 |
A.14.3.1 |
Protection of test data |
Test data shall be selected carefully, protected and controlled. |
Yes |
A.15 |
Supplier relationships |
|||
A.15.1 |
Information security in supplier relationships |
|||
ISO 27002:2013 |
A.15.1.1 |
Information security policy for supplier relationships |
Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. |
Yes |
ISO 27017:2021 |
The cloud service customer should include the cloud service provider as a type of supplier in its information security policy for supplier relationships. This will help to mitigate risks associated with the cloud service provider's access to and management of the cloud service customer data. |
Yes |
||
ISMAP |
15.1.1.16.B |
The cloud service provider evaluates the risk of information handled in the service provided by the cloud service provider being accessed or processed without the cloud service customer's intention as a result of the application of laws other than domestic laws to the information handled. Based on this evaluation, the cloud service provider selects an external contractor and, if necessary, specify the location where the contracted work will be performed and the governing law and jurisdiction as stipulated in the contract. |
Yes |
|
ISO 27002:2013 |
A.15.1.2 |
Addressing security within supplier agreements |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. |
Yes |
ISO 27017:2021 |
The cloud service customer should confirm the information security roles and responsibilities relating to the cloud service, as described in the service agreement. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should specify as part of an agreement the relevant information security measures that the cloud service provider will implement to ensure no misunderstanding between the cloud service provider and cloud service customer. […] |
Yes |
||
ISMAP |
15.1.2.18.PB |
The cloud service provider defines, as part of the agreement, appropriate information security measures to be implemented by the cloud service provider to avoid misunderstandings between the cloud service provider and cloud service customers. |
Yes |
|
ISO 27002:2013 |
A.15.1.3 |
Information and communication technology supply chain |
Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. |
Yes |
ISO 27017:2021 |
If a cloud service provider uses cloud services of peer cloud service providers, the cloud service provider should ensure information security levels to its own cloud service customers are maintained or exceeded. […] |
Yes |
||
A.15.2 |
Supplier service delivery management |
|||
ISO 27002:2013 |
A.15.2.1 |
Monitoring and review of supplier services |
Organizations shall regularly monitor, review and audit supplier service delivery. |
Yes |
ISO 27002:2013 |
A.15.2.2 |
Managing changes to supplier services |
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.
|
Yes |
A.16 |
Information security incident management |
|||
A.16.1 |
Management of information security incidents and improvements |
|||
ISO 27002:2013 |
A.16.1.1
|
Responsibilities and procedures |
Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. |
Yes |
ISO 27017:2021 |
The cloud service customer should verify the allocation of responsibilities for information security incident management and should ensure that it meets the requirements of the cloud service customer. |
Yes |
||
ISO 27017:2021 |
As a part of the service specifications, the cloud service provider should define the allocation of information security incident management responsibilities and procedures between the cloud service customer and the cloud service provider.[…] |
Yes |
||
ISO 27002:2013 |
A.16.1.2
|
Reporting information security events |
Information security events shall be reported through appropriate management channels as quickly as possible. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information from the cloud service provider about the mechanisms for: […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide mechanisms for: […] |
Yes |
||
ISO 27002:2013 |
A.16.1.3 |
Reporting information security weaknesses |
Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. |
Yes |
ISO 27002:2013 |
A.16.1.4 |
Assessment of and decision on information security events |
Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents. |
Yes |
ISO 27002:2013 |
A.16.1.5 |
Response to information security incidents |
Information security incidents shall be responded to in accordance with the documented procedures. |
Yes |
ISO 27002:2013 |
A.16.1.6 |
Learning from information security incidents |
Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. |
Yes |
ISO 27002:2013 |
A.16.1.7
|
Collection of evidence |
The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. |
Yes |
ISO 27017:2021 |
The cloud service customer and the cloud service provider should agree upon the procedures to respond to requests for potential digital evidence or other information from within the cloud computing environment. |
Yes |
||
ISO 27017:2021 |
The cloud service customer and the cloud service provider should agree upon the procedures to respond to requests for potential digital evidence or other information from within the cloud computing environment. |
Yes |
||
A.17 |
Information security aspects of business continuity management |
|||
A.17.1 |
Information security continuity |
|||
ISO 27002:2013 |
A.17.1.1 |
Planning information security continuity |
The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. |
Yes |
ISO 27002:2013 |
A.17.1.2 |
Implementing information security continuity |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
Yes |
ISO 27002:2013 |
A.17.1.3 |
Verify, review and evaluate information security continuity |
The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. |
Yes |
A.17.2 |
Redundancies |
|||
ISO 27002:2013 |
A.17.2.1 |
Availability of information processing facilities |
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
Yes |
A.18 |
Compliance |
|||
A.18.1 |
Compliance with legal and contractual requirements |
|||
ISO 27002:2013 |
A.18.1.1
|
Identification of applicable legislation and contractual requirements |
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
Yes |
ISO 27017:2021 |
The cloud service customer should consider the issue that relevant laws and regulations can be those of jurisdictions governing the cloud service provider, in addition to those governing the cloud service customer. […] |
Yes | ||
ISO 27017:2021 |
The cloud service provider should inform the cloud service customer of the legal jurisdictions governing the cloud service. |
Yes | ||
ISO 27002:2013 |
A.18.1.2
|
Intellectual property rights |
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. |
Yes |
ISO 27017:2021 |
Installing commercially licensed software in a cloud service can cause a breach of the license terms for the software. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should establish a process for responding to intellectual property rights complaints. |
Yes |
||
ISO 27002:2013 |
A.18.1.3
|
Protection of records |
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service customer. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer. |
Yes |
||
ISO 27002:2013 |
A.18.1.4 |
Privacy and protection of personally identifiable information |
Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. |
Yes |
ISO 27002:2013 |
A.18.1.5
|
Regulation of cryptographic controls |
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. |
Yes |
ISO 27017:2021 |
The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations. |
Yes | ||
ISO 27017:2021 |
The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations. |
Yes | ||
A.18.2 |
Information security reviews |
|||
ISO 27002:2013 |
A.18.2.1
|
Independent review of information security |
The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. |
Yes |
ISO 27017:2021 |
The cloud service customer should request documented evidence that the implementation of information security controls and guidelines for the cloud service is in line with any claims made by the cloud service provider. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide documented evidence to the cloud service customer to substantiate its claim of implementing information security controls. […] |
Yes |
||
ISO 27002:2013 |
A.18.2.2 |
Compliance with security policies and standards
|
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
Yes |
ISO 27002:2013 |
A.18.2.3 |
Technical compliance review |
Information systems shall be regularly reviewed for compliance with the organization’s security policies and standards |
Yes |