Information Security
Introduction
Viedoc Technologies have implemented a risk-based Information Security Management System (ISMS) that facilitates a structured and continuous approach to information security. Our ISMS covers all activities and sites company-wide and is certified according to ISO 27001 with all Annex A controls included in our scope of applicability.
Download the certificate

Security Controls Statement of Applicability v4
Source |
# |
Subject |
Control |
Applicable |
A.5 |
Information security policies |
|||
A.5.1 |
Management direction for information security |
|||
ISO 27002:2013 |
A.5.1.1 |
Policies for information security |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
Yes |
ISO 27017:2021 | An information security policy for cloud computing should be defined as a topic-specific policy of the cloud service customer. […] | Yes | ||
ISO 27017:2021 | The cloud service provider should augment its information security policy to address the provision and use of its cloud services, […] | Yes | ||
ISO 27002:2013 |
A.5.1.2 |
Review of the policies for information security |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness. |
Yes |
A.6 |
Organization of information security |
|||
A.6.1 |
Internal organization |
|||
ISO 27002:2013 |
A.6.1.1 |
Information security roles and responsibilities |
All information security responsibilities shall be defined and allocated. |
Yes |
ISO 27017:2021 |
The cloud service customer should agree with the cloud service provider on an appropriate allocation of information security roles and responsibilities and confirm that it can fulfil its allocated roles and responsibilities. […] | Yes | ||
ISO 27017:2021 |
The cloud service provider should agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers and its suppliers. | Yes | ||
ISO 27002:2013 |
A.6.1.2 NIST SP |
Segregation of duties |
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets. |
Yes |
ISO 27002:2013 |
A.6.1.3 NIST SP |
Contact with authorities |
Appropriate contacts with relevant authorities shall be maintained |
Yes |
ISO 27017:2021 |
The cloud service customer should identify the authorities relevant to the combined operation of the cloud service customer and the cloud service provider. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should inform the cloud service customer of the geographical locations of the cloud service provider's organization and the countries where the cloud service provider can store the cloud service customer data. |
Yes |
||
ISO 27002:2013 |
A.6.1.4 |
Contact with special interest groups |
Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained. |
Yes |
ISO 27002:2013 |
A.6.1.5 |
Information security in project management |
Information security shall be addressed in project management, regardless of the type of the project. |
Yes |
A.6.2 |
Mobile devices and teleworking |
|||
ISO 27002:2013 |
A.6.2.1 |
Mobile device policy |
A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices |
Yes |
ISO 27002:2013 |
A.6.2.2 NIST SP |
Teleworking |
A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites. |
Yes |
CLD.6.3 |
Relationship between cloud service customer and cloud service provider |
|||
ISO 27017:2021 |
CLD.6.3.1 |
Shared roles and responsibilities within a cloud computing environment |
Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider. […] Customer: Define procedure/policy and inform Provider: Document/communicate capabilities/roles/responsibilities |
Yes |
Yes | ||||
A.7 |
Human resource security |
|||
A.7.1 |
Prior to employment |
|||
ISO 27002:2013 |
A.7.1.1 NIST SP |
Screening |
Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks. |
Yes |
ISO 27002:2013 |
A.7.1.2 |
Terms and conditions of employment |
The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security. |
Yes |
A.7.2 |
During employment |
|||
ISO 27002:2013 |
A.7.2.1 |
Management responsibilities |
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
Yes |
ISO 27002:2013 |
A.7.2.2 NIST SP |
Information security awareness, education and training |
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function. |
Yes |
ISO 27017:2021 |
The cloud service customer should add the following items to awareness, education and training programmes for cloud service business managers, cloud service administrators, cloud service integrators and cloud service users, including relevant employees and contractors: […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide awareness, education and training for employees, and request contractors to do the same, concerning the appropriate handling of cloud service customer data and cloud service derived data. […] |
Yes |
||
ISMAP |
7.2.2.19.PB |
Cloud service providers provide education and training to raise awareness among employees regarding the proper handling of cloud service customer data and cloud service derived data, and require contract parties to do the same. |
Yes |
|
NIST SP 800-53 | AT-2(2) | Security Awareness Training: Insider Threat | Provide literacy training on recognizing and reporting potential indicators of insider threat. | Yes |
ISO 27002:2013 |
A.7.2.3 |
Disciplinary process |
There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach. |
Yes |
A.7.3 |
Termination and change of employment |
|||
ISO 27002:2013 |
A.7.3.1 NIST SP |
Termination or change of employment responsibilities |
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. |
Yes |
A.8 |
Asset management |
|||
A.8.1 |
Responsibility for assets |
|||
ISO 27002:2013 |
A.8.1.1 NIST SP |
Inventory of assets |
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. |
Yes |
ISO 27017:2021 |
The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g. identification of the cloud service. |
Yes | ||
ISO 27017:2021 |
The inventory of assets of the cloud service provider should explicitly identify: –cloud service customer data; –cloud service derived data. |
Yes | ||
ISO 27002:2013 |
A.8.1.2 NIST SP |
Ownership of assets |
Assets maintained in the inventory shall be owned. |
Yes |
ISMAP |
8.1.2.7.PB |
The cloud service provider provides the cloud service customer with one of the following to manage the assets (including backups) of such customer.
|
Yes | |
ISO 27002:2013 |
A.8.1.3 |
Acceptable use of assets |
Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented. |
Yes |
ISO 27002:2013 |
A.8.1.4 NIST SP |
Return of assets |
All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement. |
Yes |
ISO 27017:2021 |
CLD.8.1.5 |
Removal of cloud service customer assets |
Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. […] Customer: Request a documented description of the termination Provider: Provide information about the arrangements for the return |
Yes |
Yes | ||||
A.8.2 |
Information classification |
|||
ISO 27002:2013 |
A.8.2.1 |
Classification of information |
Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification. |
Yes |
ISO 27002:2013 |
A.8.2.2 NIST SP |
Labelling of information |
An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization. |
Yes |
ISO 27017:2021 |
The cloud service customer should label information and associated assets maintained in the cloud computing environment in accordance with the cloud service customer's adopted procedures for labelling. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should document and disclose any service functionality it provides allowing cloud service customers to classify and label their information and associated assets. |
Yes |
||
ISMAP |
8.2.2.7.PB |
The cloud service provider documents and discloses the service functions that allow cloud service customers to classify and label the information and related assets handled by the cloud service providers. |
Yes |
|
ISO 27002:2013 |
A.8.2.3 NIST SP |
Handling of assets |
Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization |
Yes |
A.8.3 |
Media handling |
|||
ISO 27002:2013 |
A.8.3.1 NIST SP |
Management of removable media |
Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. |
Yes |
NIST SP 800-53 | AC-20(2) | Use of External Information Systems: Portable Storage Devices - Restricted Use | Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using organization-defined restrictions. | Yes |
NIST SP 800-53 |
MP-7(1) | Media Use: Prohibit Use Without Owner | The organization prohibits the use of portable storage devices in organizational information system when such devices have no identifiable owner. | Yes |
ISO 27002:2013 |
A.8.3.2 NIST SP |
Disposal of media |
Media shall be disposed of securely when no longer required, using formal procedures. |
Yes |
ISO 27002:2013 |
A.8.3.3 NIST SP |
Physical media transfer |
Media containing information shall be protected against unauthorized access, misuse or corruption during transportation |
Yes |
A.9 |
Access control |
|||
A.9.1 |
Business requirements of access control |
|||
ISO 27002:2013 |
A.9.1.1 |
Access control policy |
An access control policy shall be established, documented and reviewed based on business and information security requirements. |
Yes |
ISO 27002:2013 |
A.9.1.2 NIST SP |
Access to networks and network services |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
Yes |
ISO 27017:2021 |
The cloud service customer's access control policy for the use of network services should specify requirements for user access to each separate cloud service that is used. | Yes | ||
NIST SP 800-53 | AC-17(1) | Remote Access: Monitoring and Control | Employ automated mechanisms to monitor and control remote access methods. | Yes |
NIST SP 800-53 |
AC-18(1) | Wireless Access: Authentication and Encryption | Protect wireless access to the system using authentication of users, devices, and encryption. | Yes |
A.9.2 |
User access management |
|||
ISO 27002:2013 |
A.9.2.1 NIST SP |
User registration and de-registration |
A formal user registration and de-registration process shall be implemented to enable assignment of access rights. |
Yes |
ISO 27017:2021 |
To manage access to cloud services by a cloud service customer's cloud service users, the cloud service provider should provide user registration and deregistration functions, and specifications for the use of these functions to the cloud service customer. |
Yes | ||
ISO 27002:2013 |
A.9.2.2 NIST SP 800-53 |
User access provisioning |
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services |
Yes |
ISO 27017:2021 |
The cloud service provider should provide functions for managing the access rights of the cloud service customer's cloud service users, and specifications for the use of these functions. |
Yes |
||
NIST SP 800-53 | SC-2 | Application Partitioning | The information system separates user functionality (including user interface services) from information system management functionality. | Yes |
NIST SP 800-53 |
SC-4 | Information in Shared Resources | The information system prevents unauthorized and unintended information transfer via shared system resources. | Yes |
ISO 27002:2013 |
A.9.2.3 NIST SP |
Management of privileged access rights |
The allocation and use of privileged access rights shall be restricted and controlled. |
Yes |
ISO 27017:2021 | The cloud service customer should use sufficient authentication techniques (e.g.,multi-factor authentication) for authenticating the cloud service administrators of the cloud service customer to the administrative capabilities of a cloud service according to the identified risks. | Yes | ||
ISO 27017:2021 | The cloud service provider should provide sufficient authentication techniques for authenticating the cloud service administrators of the cloud service customer to the administrative capabilities of a cloud service, according to the identified risks. | Yes | ||
ISMAP | 9.2.3.11.PB |
Depending on the identified risks, cloud service providers provide sufficiently strong authentication technologies for administrator authentication of cloud service customers that are tailored to the management capabilities of the cloud service |
Yes | |
NIST SP 800-53 |
AC-6(5) | Least Privilege: Privileged Accounts |
Restrict privileged accounts on the system to organization-defined personnel or roles. | Yes |
NIST SP 800-53 |
AC-17(4) | Remote Access: Privileged Commands and Access |
a) Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the nee following needs: organization-defined needs; and b) Document the rationale for remote access in the security plan for the system. |
Yes |
ISO 27002:2013 |
A.9.2.4 NIST SP |
Management of secret authentication information of users |
The allocation of secret authentication information shall be controlled through a formal management process. |
Yes |
ISO 27017:2021 | The cloud service customer should verify that the cloud service provider's management procedure for allocating secret authentication information, such as passwords, meets the cloud service customer's requirements. | Yes | ||
ISO 27017:2021 | The cloud service provider should provide information on procedures for the management of the secret authentication information of the cloud service customer, including the procedures for allocating such information and for user authentication. | Yes | ||
ISO 27002:2013 |
A.9.2.5 NIST SP |
Review of user access rights |
Asset owners shall review users’ access rights at regular intervals. |
Yes |
ISO 27002:2013 |
A.9.2.6 NIST SP |
Removal or adjustment of access rights |
The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change. |
Yes |
A.9.3 |
User responsibilities |
|||
ISO 27002:2013 |
A.9.3.1 NIST SP |
Use of secret authentication information |
Users shall be required to follow the organization’s practices in the use of secret authentication information |
Yes |
A.9.4 |
System and application access control |
|||
ISO 27002:2013 |
A.9.4.1 NIST SP |
Information access restriction |
Access to information and application system functions shall be restricted in accordance with the access control policy. |
Yes |
ISO 27017:2021 |
The cloud service customer should ensure that access to information in the cloud service can be restricted in accordance with its access control policy and that such restrictions are realized. This includes restricting access to cloud services, cloud service functions, and cloud service customer data maintained in the service. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide access controls that allow the cloud service customer to restrict access to its cloud services, its cloud service functions and the cloud service customer data maintained in the service. |
Yes |
||
ISO 27002:2013 |
A.9.4.2 NIST SP |
Secure log-on procedures |
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. |
Yes |
NIST SP 800-53 | IA-2(1) | Identification And Authentication (Organizational Users): Network Access To Privileged Accounts | The information system implements multifactor authentication for network access to privileged accounts. | Yes |
NIST SP 800-53 | IA-2(2) | Identification And Authentication (Organizational Users): Network Access To Non-Privileged Accounts | The information system implements multifactor authentication for network access to non-privileged accounts. | Yes |
NIST SP 800-53 |
IA-2(3) | Identification And Authentication (Organizational Users): Local Access To Privileged Accounts | The information system implements multifactor authentication for local access to privileged accounts. | Yes |
NIST SP |
IA-2(8) |
Identification And Authentication (Organizational Users): Network Access To Privileged Accounts – Replay Resistant | The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. | Yes |
NIST SP 800-53 | IA-2(9) | Identification And Authentication (Organizational Users): Network Access To Non-Privileged Accounts – Replay Resistant | The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts. | Yes |
NIST SP 800-53 |
IA-5(1) | Authenticator Management: Password-Based Authentication |
The information system, for password-based authentication:
|
Yes |
ISO 27002:2013 |
A.9.4.3 NIST SP |
Password management system |
Password management systems shall be interactive and shall ensure quality passwords. |
Yes |
ISO 27002:2013 |
A.9.4.4 NIST SP 800-53 |
Use of privileged utility programs |
The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled. |
Yes |
ISO 27017:2021 |
Where the use of utility programs is permitted, the cloud service customer should identify the utility programs to be used in its cloud computing environment, and ensure that they do not interfere with the controls of the cloud service. |
Yes | ||
ISO 27017:2021 |
The cloud service provider should identify the requirements for any utility programs used within the cloud service. The cloud service provider should ensure that any use of utility programs capable of bypassing normal operating or security procedures is strictly limited to authorized personnel, and that the use of such programs is reviewed and audited regularly. |
Yes | ||
NIST SP 800-53 | AC-6(1) | Least Privilege: Authorize Access to Security Functions |
Authorize access for organization-defined individuals or roles to:
|
Yes |
NIST SP 800-53 | AC-6(2) | Least Privilege: Non-privileged Access for Nonsecurity Functions | Require that users of system accounts (or roles) with access to organization-defined security functions or security-relevant information use non-privileged accounts or roles, when accessing nonsecurity functions. | Yes |
NIST SP 800-53 | AC-6(10) | Least Privilege: Prohibit Non-privileged Users from Executing Privileged Functions | Prevent non-privileged users from executing privileged functions. | Yes |
ISO 27002:2013 |
A.9.4.5 NIST SP |
Access control to program source code |
Access to program source code shall be restricted. |
Yes |
CLD.9.5 |
Access control of cloud service customer data in shared virtual environment |
|||
ISO 27017:2021 |
CLD.9.5.1 |
Segregation in virtual computing environments |
A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons. […] Applies to provider only. |
Yes |
ISO 27017:2021 |
CLD.9.5.2 |
Virtual machine hardening |
Virtual machines in a cloud computing environment should be hardened to meet business needs. […] Applies to both customer and provider. |
Yes |
ISMAP |
9.5.2.PB |
When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened […], and that the appropriate technical measures are in place […] for each virtual machine used. |
Yes | |
A.10 |
Cryptography |
|||
A.10.1 |
Cryptographic controls |
|||
ISO 27002:2013 |
A.10.1.1 NIST SP 800-53 |
Policy on the use of cryptographic controls |
A policy on the use of cryptographic controls for protection of information shall be developed and implemented. |
Yes |
ISO 27017:2021 |
The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. […] |
Yes |
||
ISMAP | 10.1.1.9.PB |
The cloud service provider provides the cloud service customer with the capability to use cryptographic techniques to protect the information processed by the customer, or provides information about the environment in which the cryptographic techniques are used. |
Yes |
|
NIST SP 800-53 | AC-17(2) | Remote Access: Protection of Confidentiality and Integrity Using Encryption | Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. | Yes |
NIST SP 800-53 | AC-19(5) | Access Control For Mobile Devices: Full Device or Container-based Encryption | Employ full-device encryption, container-based encryption to protect the confidentiality and integrity of information on organization-defined mobile devices. | Yes |
NIST SP 800-53 | MP-5(4) | Media Transport: Cryptographic Protection | The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas. | Yes |
NIST SP 800-53 | SC-8(1) | Transmission Confidentiality And Integrity: Cryptographic Or Alternate Physical Protection | The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. | Yes |
ISO 27002:2013 |
A.10.1.2 NIST SP 800-53 |
Key management |
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle |
Yes |
ISO 27017:2021 |
The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management. |
Yes |
||
ISMAP |
10.1.2.20.PB |
The cloud service provider provides a cloud service customer with a function that allows said customer to manage cryptographic keys used to encrypt information managed by said customer, or provides information on how said customer manages cryptographic keys |
Yes |
|
A.11 |
Physical and environmental security |
|||
A.11.1 |
Secure areas |
|||
ISO 27002:2013 |
A.11.1.1 NIST SP |
Physical security perimeter |
Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities. |
Yes |
ISO 27002:2013 |
A.11.1.2 NIST SP |
Physical entry controls |
Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. |
Yes |
ISO 27002:2013 |
A.11.1.3 NIST SP |
Securing offices, rooms and facilities |
Physical security for offices, rooms and facilities shall be designed and applied. |
Yes |
ISO 27002:2013 |
A.11.1.4 |
Protecting against external and environmental threats |
Physical protection against natural disasters, malicious attack or accidents shall be designed and applied |
Yes |
ISO 27002:2013 |
A.11.1.5 |
Working in secure areas |
Procedures for working in secure areas shall be designed and applied. |
Yes |
ISO 27002:2013 |
A.11.1.6 |
Delivery and loading areas |
Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.
|
Yes |
NIST SP 800-53 |
PE-6 | Monitoring Physical Access |
The organization:
|
|
A.11.2 |
Equipment |
|||
ISO 27002:2013 |
A.11.2.1 |
Equipment siting and protection |
Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access. |
Yes |
ISO 27002:2013 |
A.11.2.2 |
Supporting utilities |
Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities. |
Yes |
ISO 27002:2013 |
A.11.2.3 NIST SP 800-53 |
Cabling security |
Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage. |
Yes |
ISO 27002:2013 |
A.11.2.4 NIST SP |
Equipment maintenance |
Equipment shall be correctly maintained to ensure its continued availability and integrity. |
Yes |
NIST SP 800-53 | MA-3 | Maintenance Tools | The organization approves, controls, and monitors information system maintenance tools. | Yes |
NIST SP 800-53 |
MA-3(1) | Maintenance Tools: Inspect Tools | The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications. | Yes |
NIST SP 800-53 |
MA-3(2) | Maintenance Tools: Inspect Media |
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system. | Yes |
NIST SP 800-53 |
MA-4 | Nonlocal Maintenance |
The organization:
|
Yes |
NIST SP 800-53 | MA-5 | Maintenance Personnel |
The organization:
|
Yes |
ISO 27002:2013 |
A.11.2.5 NIST SP |
Removal of assets |
Equipment, information or software shall not be taken off-site without prior authorization. |
Yes |
ISO 27002:2013 |
A.11.2.6 NIST SP |
Security of equipment and assets off-premises |
Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises. |
Yes |
ISO 27002:2013 |
A.11.2.7 NIST SP |
Secure disposal or reuse of equipment |
All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use. |
Yes |
ISO 27017:2021 |
The cloud service customer should request confirmation that the cloud service provider has the policies and procedures for secure disposal or reuse of resources. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should ensure that arrangements are made for the secure disposal or reuse of resources (e.g. equipment, data storage, files, memory) in a timely manner. |
Yes |
||
ISO 27002:2013 |
A.11.2.8 NIST SP |
Unattended user equipment |
Users shall ensure that unattended equipment has appropriate protection. |
Yes |
ISO 27002:2013 |
A.11.2.9 NIST SP 800-53 |
Clear desk and clear screen policy |
A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted. |
Yes |
NIST SP 800-53 |
AC-11(1) | Session Lock: Pattern-hiding Displays | Conceal, via the device lock, information previously visible on the display with a publicly viewable image. | Yes |
NIST SP 800-53 |
AC-12 | Session Termination | Automatically terminate a user session after organization-defined conditions, or trigger events requiring session disconnect. | Yes |
A.12 |
Operations security |
|||
A.12.1 |
Operational procedures and responsibilities |
|||
ISO 27002:2013 |
A.12.1.1 |
Documented operating procedures |
Operating procedures shall be documented and made available to all users who need them. |
Yes |
ISO 27002:2013 |
A.12.1.2 NIST SP |
Change management |
Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled. |
Yes |
ISO 27017:2021 |
The cloud service customer's change management process should take into account the impact of any changes made by the cloud service provider. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide the cloud service customer with information regarding changes to the cloud service that could adversely affect the cloud service. […] |
Yes |
||
ISMAP |
12.1.2.11.PB |
The cloud service provider provides cloud service customers with information about changes in cloud services that can adversely affect the information security of cloud service customers |
Yes |
|
NIST SP 800-53 | CM-2 | Baseline Configuration | The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. | Yes |
NIST SP 800-53 |
CM-6 | Configuration Settings |
The organization:
|
Yes |
NIST SP 800-53 | CM-8(1) | Configuration Management: Updates During Installations / Removals | The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. | Yes |
ISO 27002:2013 |
A.12.1.3 |
Capacity management |
The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. |
Yes |
ISO 27017:2021 |
The cloud service customer should ensure that the agreed capacity provided by the cloud service meets the cloud service customer's requirements. […] |
Yes | ||
ISO 27017:2021 |
The cloud service provider should monitor the total resource capacity to prevent information security incidents caused by resource shortages. |
Yes | ||
ISO 27002:2013 |
A.12.1.4 NIST SP |
Separation of development, testing and operational environment |
Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. |
Yes |
ISO 27017:2021 |
CLD.12.1.5 |
Administrator's operational security |
Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. […] Customer: Document procedures for critical operations Provider: Provide documentation about the critical operations |
Yes |
Yes | ||||
A.12.2 |
Protection from malware |
|||
ISO 27002: 2013 |
A.12.2.1 NIST SP |
Controls against malware |
Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness |
Yes |
A.12.3 |
Backup |
|||
ISO 27002:2013 |
A.12.3.1 NIST SP |
Information backup |
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup
|
Yes |
ISO 27017:2021 |
Where the cloud service provider provides backup capability as part of the cloud service, the cloud service customer should request the specifications of the backup capability from the cloud service provider. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. […] |
Yes |
||
A.12.4 |
Logging and monitoring |
|||
ISO 27002:2013 |
A.12.4.1 NIST SP 800-53 |
Event logging |
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. |
Yes |
ISO 27017:2021 |
The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide logging capabilities to the cloud service customer. |
Yes |
||
NIST SP 800-53 | AC-6(9) | Least Privilege: Log Use of Privileged Functions | Log the execution of privileged functions. | Yes |
NIST SP 800-53 | AU-2 | Audit Events |
The organization:
|
Yes |
NIST SP 800-53 | AU-2(3) | Audit Events: Reviews and Updates | The information system generates audit records containing the following additional information: organization-defined additional, more detailed information. | Yes |
NIST SP 800-53 | AU-3(1) | Content of Audit Records: Additional Audit Information | The information system generates audit records containing the following additional information: organization-defined additional, more detailed information. | Yes |
NIST SP 800-53 | AU-5 | Response To Audit Processing Failures |
The information system:
|
Yes |
NIST SP 800-53 | AU-6(3) | Audit Review, Analysis, And Reporting: Correlate Audit Repositories | The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness. | Yes |
NIST SP 800-53 | AU-7 | Audit Reduction And Report Generation |
The information system provides an audit reduction and report generation capability that:
|
Yes |
ISO 27002:2013 |
A.12.4.2 NIST SP |
Protection of log information |
Logging facilities and log information shall be protected against tampering and unauthorized access. |
Yes |
NIST SP 800-53 | AU-9(4) | Protection of Audit Information: Access By Subset of Privileged Users | The organization authorizes access to management of audit functionality to only organization-defined subset of privileged users. | Yes |
ISO 27002:2013 |
A.12.4.3 NIST SP |
Administrator and operator logs |
System administrator and system operator activities shall be logged, and the logs protected and regularly reviewed. |
Yes |
ISO 27017:2021 | If a privileged operation is delegated to the cloud service customer, the operation and performance of those operations should be logged. […] | Yes | ||
ISO 27002:2013 |
A.12.4.4 NIST SP
|
Clock synchronisation |
The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information about the clock synchronization used for the cloud service provider's systems. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information to the cloud service customer regarding the clock used by the cloud service provider's systems, and information about how the cloud service customer can synchronize local clocks with the cloud service clock. |
Yes |
||
NIST SP 800-53 | AU-8(1) |
Time Stamps: |
The information system:
|
Yes |
NIST SP 800-53 |
SI-4 | Information System Monitoring |
The organization:
|
Yes |
NIST SP 800-53 | SI-4(4) | Information System Monitoring: Inbound And Outbound Communication Traffic | The information system monitors inbound and outbound communications traffic organization-defined frequency for unusual or unauthorized activities or conditions. | Yes |
ISO 27017:2021 |
CLD.12.4.5 |
Monitoring of Cloud Services |
The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses.[…] Customer: Request information from of the service monitoring capabilities Provider: Provide capabilities |
Yes |
Yes |
||||
A.12.5 | Control of operational software | |||
ISO 27002:2013 |
A.12.5.1 NIST SP |
Installation of software on operational systems |
Procedures shall be implemented to control the installation of software on operational systems. |
Yes |
A.12.6 |
Technical vulnerability management |
|||
ISO 27002:2013 |
A.12.6.1 NIST SP
|
Management of technical vulnerabilities |
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information from the cloud service provider about the management of technical vulnerabilities that can affect the cloud services provided. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should make available to the cloud service customer information about the management of technical vulnerabilities that can affect the cloud services provided. |
Yes |
||
NIST SP 800-53 | RA-5(1) | Vulnerability Scanning: Update Tool Capacity | The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned. | Yes |
ISO 27002:2013 |
A.12.6.2 NIST SP |
Restrictions on software installation |
Rules governing the installation of software by users shall be established and implemented. |
Yes |
NIST SP 800-53 | CM-7(1) | Least Functionality: Periodic Review |
The organization:
|
Yes |
NIST SP 800-53 | CM-7(2) | Least Functionality: Prevent Program Execution | The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions or rules authorizing the terms and conditions of software program usage. | Yes |
NIST SP 800-53 | CM-7(4) | Least Functionality: Unauthorized Software / Blacklisting |
The organization:
|
Yes |
NIST SP 800-53 | CM-7(5) | Least Functionality: Authorized Software / Whitelisting |
The organization:
|
Yes |
NIST SP 800-53 | SC-18 | Mobile Code |
The organization:
|
Yes |
A.12.7 |
Information systems audit considerations |
|||
ISO 27002:2013 |
A.12.7.1 |
Information systems audit controls |
Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business |
Yes |
A.13 |
Communications security |
|||
A.13.1 |
Network security management |
|||
ISO 27002:2013 |
A.13.1.1 NIST SP |
Network controls |
Networks shall be managed and controlled to protect information in systems and applications. |
Yes |
ISO 27002:2013 |
A.13.1.2 |
Security of network services |
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
Yes |
ISO 27002:2013 |
A.13.1.3 NIST SP |
Segregation in networks |
Groups of information services, users and information systems shall be segregated on networks. |
Yes |
ISO 27017:2021 |
The cloud service customer should define its requirements for segregating networks to achieve tenant isolation in the shared environment of a cloud service and verify that the cloud service provider meets those requirements. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should enforce segregation of network access for the following cases: […] |
Yes |
||
ISO 27017:2021 |
CLD.13.1.4 |
Alignment of security management for virtual and physical networks |
Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. |
No |
NIST SP 800-53 | AC-17(3) | Remote Access: Managed Access Control Points | Route remote accesses through authorized and managed network access control points. | Yes |
NIST SP 800-53 | IA-3 | Device Identification And Authentication | The information system uniquely identifies and authenticates organization-defined specific and/or types of devices before establishing a local; remote; network connection. | Yes |
NIST SP 800-53 | SC-7(5) | Boundary Protection: Deny By Default / Allow By Exception | The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception). | Yes |
NIST SP 800-53 |
SC-7(7) | Boundary Protection: Prevent Split Tunneling For Remote Devices | The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communication via some other connection to resources in external networks. | Yes |
A.13.2 |
Information transfer |
|||
ISO 27002:2013 |
A.13.2.1 NIST SP |
Information transfer policies and procedures |
Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities. |
Yes |
ISO 27002:2013 |
A.13.2.2 |
Agreements on information transfer |
Agreements shall address the secure transfer of business information between the organization and external parties. |
Yes |
ISO 27002:2013 |
A.13.2.3 NIST SP 800-53 |
Electronic messaging |
Information involved in electronic messaging shall be appropriately protected. |
Yes |
NIST SP 800-53 | SC-19 | Voice Over Internet Protocol |
The organization:
|
Yes |
ISO 27002:2013 |
A.13.2.4 |
Confidentiality or nondisclosure agreements |
Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented. |
Yes |
A.14 |
System acquisition, development and maintenance |
|||
A.14.1 |
Security requirements of information systems |
|||
ISO 27002:2013 |
A.14.1.1 |
Information security requirements analysis and specification |
The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems. |
Yes |
ISO 27017:2021 |
The cloud service customer should determine its information security requirements for the cloud service and then evaluate whether services offered by a cloud service provider can meet these requirements. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information to the cloud service customers about the information security capabilities they use. […] |
Yes |
||
ISO 27002:2013 |
A.14.1.2 NIST SP |
Securing application services on public networks |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
Yes |
ISO 27002:2013 |
A.14.1.3 NIST SP 800-53 |
Protecting application services transactions |
Information involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
Yes |
A.14.2 |
Security in development and support processes |
|||
ISO 27002:2013 |
A.14.2.1 |
Secure development policy |
Rules for the development of software and systems shall be established and applied to developments within the organization. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information from the cloud service provider about the cloud service provider's use of secure development procedures and practices |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information about its use of secure development procedures and practices to the extent compatible with its policy for disclosure. |
Yes |
||
ISO 27002:2013 |
A.14.2.2 NIST SP 800-53 |
System change control procedures |
Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. |
Yes |
ISO 27002:2013 |
A.14.2.3 NIST SP 800-53 |
Technical review of applications after operating platform changes |
When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security. |
Yes |
ISO 27002:2013 |
A.14.2.4 NIST SP |
Restrictions on changes to software packages |
Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. |
Yes |
ISO 27002:2013 |
A.14.2.5 NIST SP |
Secure system engineering principles |
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts. |
Yes |
ISO 27002:2013 |
A.14.2.6 |
Secure development environment |
Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle. |
Yes |
ISO 27002:2013 |
A.14.2.7 |
Outsourced development |
The organization shall supervise and monitor the activity of outsourced system development. |
Yes |
ISO 27002:2013 |
A.14.2.8 NIST SP |
System security testing |
Testing of security functionality shall be carried out during development. |
Yes |
ISO 27002:2013 |
A.14.2.9 |
System acceptance testing |
Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions. |
Yes |
A.14.3 |
Test data |
|||
ISO 27002:2013 |
A.14.3.1 |
Protection of test data |
Test data shall be selected carefully, protected and controlled. |
Yes |
A.15 |
Supplier relationships |
|||
A.15.1 |
Information security in supplier relationships |
|||
ISO 27002:2013 |
A.15.1.1 |
Information security policy for supplier relationships |
Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented. |
Yes |
ISO 27017:2021 |
The cloud service customer should include the cloud service provider as a type of supplier in its information security policy for supplier relationships. This will help to mitigate risks associated with the cloud service provider's access to and management of the cloud service customer data. |
Yes |
||
ISMAP |
15.1.1.16.B |
The cloud service provider evaluates the risk of information handled in the service provided by the cloud service provider being accessed or processed without the cloud service customer's intention as a result of the application of laws other than domestic laws to the information handled. Based on this evaluation, the cloud service provider selects an external contractor and, if necessary, specify the location where the contracted work will be performed and the governing law and jurisdiction as stipulated in the contract. |
Yes |
|
ISO 27002:2013 |
A.15.1.2 |
Addressing security within supplier agreements |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization’s information. |
Yes |
ISO 27017:2021 |
The cloud service customer should confirm the information security roles and responsibilities relating to the cloud service, as described in the service agreement. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should specify as part of an agreement the relevant information security measures that the cloud service provider will implement to ensure no misunderstanding between the cloud service provider and cloud service customer. […] |
Yes |
||
ISMAP |
15.1.2.18.PB |
The cloud service provider defines, as part of the agreement, appropriate information security measures to be implemented by the cloud service provider to avoid misunderstandings between the cloud service provider and cloud service customers. |
Yes |
|
NIST SP 800-53 | AC-20(1) | Use of External Information Systems: Limits on Authorized Use |
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
|
Yes |
ISO 27002:2013 |
A.15.1.3 |
Information and communication technology supply chain |
Agreements with suppliers shall include requirements to address the information security risks associated with information and communications technology services and product supply chain. |
Yes |
ISO 27017:2021 |
If a cloud service provider uses cloud services of peer cloud service providers, the cloud service provider should ensure information security levels to its own cloud service customers are maintained or exceeded. […] |
Yes |
||
A.15.2 |
Supplier service delivery management |
|||
ISO 27002:2013 |
A.15.2.1 |
Monitoring and review of supplier services |
Organizations shall regularly monitor, review and audit supplier service delivery. |
Yes |
ISO 27002:2013 |
A.15.2.2 |
Managing changes to supplier services |
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.
|
Yes |
A.16 |
Information security incident management |
|||
A.16.1 |
Management of information security incidents and improvements |
|||
ISO 27002:2013 |
A.16.1.1
|
Responsibilities and procedures |
Management responsibilities and procedures shall be established to ensure a quick, effective and orderly response to information security incidents. |
Yes |
ISO 27017:2021 |
The cloud service customer should verify the allocation of responsibilities for information security incident management and should ensure that it meets the requirements of the cloud service customer. |
Yes |
||
ISO 27017:2021 |
As a part of the service specifications, the cloud service provider should define the allocation of information security incident management responsibilities and procedures between the cloud service customer and the cloud service provider.[…] |
Yes |
||
ISO 27002:2013 |
A.16.1.2 NIST SP 800-53
|
Reporting information security events |
Information security events shall be reported through appropriate management channels as quickly as possible. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information from the cloud service provider about the mechanisms for: […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide mechanisms for: […] |
Yes |
||
ISO 27002:2013 |
A.16.1.3 NIST SP |
Reporting information security weaknesses |
Employees and contractors using the organization’s information systems and services shall be required to note and report any observed or suspected information security weaknesses in systems or services. |
Yes |
ISO 27002:2013 |
A.16.1.4 NIST SP |
Assessment of and decision on information security events |
Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents. |
Yes |
ISO 27002:2013 |
A.16.1.5 NIST SP |
Response to information security incidents |
Information security incidents shall be responded to in accordance with the documented procedures. |
Yes |
ISO 27002:2013 |
A.16.1.6 NIST SP |
Learning from information security incidents |
Knowledge gained from analysing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents. |
Yes |
NIST SP 800-53 | IR-5 | Incident Monitoring | The organization tracks and documents information system security incidents. | Yes |
ISO 27002:2013 |
A.16.1.7 NIST SP |
Collection of evidence |
The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence. |
Yes |
ISO 27017:2021 |
Cloud service customer: The cloud service customer and the cloud service provider should agree upon the procedures to respond to requests for potential digital evidence or other information from within the cloud computing environment. |
Yes |
||
ISO 27017:2021 |
Cloud service provider: The cloud service customer and the cloud service provider should agree upon the procedures to respond to requests for potential digital evidence or other information from within the cloud computing environment. |
Yes |
||
NIST SP 800-53 | IR-7 | Incident Response Assistance | The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents. | Yes |
NIST SP 800-53 | IR-3 | Incident Response Testing | The organization tests the incident response capability for the information system organization-defined frequency using organization-defined tests to determine the incident response effectiveness and documents the results. | Yes |
A.17 |
Information security aspects of business continuity management |
|||
A.17.1 |
Information security continuity |
|||
ISO 27002:2013 |
A.17.1.1 |
Planning information security continuity |
The organization shall determine its requirements for information security and the continuity of information security management in adverse situations, e.g. during a crisis or disaster. |
Yes |
ISO 27002:2013 |
A.17.1.2 NIST SP 800-53 |
Implementing information security continuity |
The organization shall establish, document, implement and maintain processes, procedures and controls to ensure the required level of continuity for information security during an adverse situation. |
Yes |
ISO 27002:2013 |
A.17.1.3 |
Verify, review and evaluate information security continuity |
The organization shall verify the established and implemented information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. |
Yes |
NIST SP 800-53 | CA-5 | Plan Of Action And Milestones |
The organization:
|
Yes |
NIST SP 800-53 | CA-7 | Continuous Monitoring |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
|
Yes |
A.17.2 |
Redundancies |
|||
ISO 27002:2013 |
A.17.2.1 |
Availability of information processing facilities |
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements. |
Yes |
A.18 |
Compliance |
|||
A.18.1 |
Compliance with legal and contractual requirements |
|||
ISO 27002:2013 |
A.18.1.1
|
Identification of applicable legislation and contractual requirements |
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
Yes |
ISO 27017:2021 |
The cloud service customer should consider the issue that relevant laws and regulations can be those of jurisdictions governing the cloud service provider, in addition to those governing the cloud service customer. […] |
Yes | ||
ISO 27017:2021 |
The cloud service provider should inform the cloud service customer of the legal jurisdictions governing the cloud service. |
Yes | ||
ISO 27002:2013 |
A.18.1.2
|
Intellectual property rights |
Appropriate procedures shall be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products. |
Yes |
ISO 27017:2021 |
Installing commercially licensed software in a cloud service can cause a breach of the license terms for the software. […] |
Yes |
||
ISO 27017:2021 |
The cloud service provider should establish a process for responding to intellectual property rights complaints. |
Yes |
||
ISO 27002:2013 |
A.18.1.3 NIST SP
|
Protection of records |
Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements. |
Yes |
ISO 27017:2021 |
The cloud service customer should request information from the cloud service provider about the protection of records gathered and stored by the cloud service provider that are relevant to the use of cloud services by the cloud service customer. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide information to the cloud service customer about the protection of records that are gathered and stored by the cloud service provider relating to the use of cloud services by the cloud service customer. |
Yes |
||
ISO 27002:2013 |
A.18.1.4 |
Privacy and protection of personally identifiable information |
Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable. |
Yes |
ISO 27002:2013 |
A.18.1.5 NIST SP 800-53
|
Regulation of cryptographic controls |
Cryptographic controls shall be used in compliance with all relevant agreements, legislation and regulations. |
Yes |
ISO 27017:2021 |
The cloud service customer should verify that the set of cryptographic controls that apply to the use of a cloud service comply with relevant agreements, legislation and regulations. |
Yes | ||
ISO 27017:2021 |
The cloud service provider should provide descriptions of the cryptographic controls implemented by the cloud service provider to the cloud service customer for reviewing compliance with applicable agreements, legislation and regulations. |
Yes | ||
A.18.2 |
Information security reviews |
|||
ISO 27002:2013 |
A.18.2.1
|
Independent review of information security |
The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) shall be reviewed independently at planned intervals or when significant changes occur. |
Yes |
ISO 27017:2021 |
The cloud service customer should request documented evidence that the implementation of information security controls and guidelines for the cloud service is in line with any claims made by the cloud service provider. |
Yes |
||
ISO 27017:2021 |
The cloud service provider should provide documented evidence to the cloud service customer to substantiate its claim of implementing information security controls. […] |
Yes |
||
ISO 27002:2013 |
A.18.2.2 NIST SP 800-53 |
Compliance with security policies and standards
|
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
Yes |
ISO 27002:2013 |
A.18.2.3 NIST SP |
Technical compliance review |
Information systems shall be regularly reviewed for compliance with the organization’s security policies and standards |
Yes |