A.5

Information security policies

A.5.1

Management direction for information security

ISO 27002:2013

A.5.1.1

Policies for information security

A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.

Yes

A.5.1.2

Review of the policies for information security

The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

Yes

A.6

Organization of information security

A.6.1

Internal organization

ISO 27002:2013

A.6.1.1

Information security roles and responsibilities

All information security responsibilities shall be defined and allocated.

Yes

ISO 27017:2021

ISO 27017:2021

ISO 27002:2013

A.6.1.2

NIST SP
800-53
AC-5
PL-2

Segregation of duties

Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

Yes

ISO 27002:2013

A.6.1.3

NIST SP
800-53
IR-6

Contact with authorities

Appropriate contacts with relevant authorities shall be maintained

Yes

ISO 27017:2021

Yes

ISO 27017:2021

Yes

ISO 27002:2013

A.6.1.4

Contact with special interest groups

Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

Yes

ISO 27002:2013

A.6.1.5

Information security in project management

Information security shall be addressed in project management, regardless of the type of the project.

Yes

A.6.2

Mobile devices and teleworking

ISO 27002:2013

A.6.2.1
NIST SP
800-53
AC-17,
AC-18,
AC-19

Mobile device policy

A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices

Yes

ISO 27002:2013

A.6.2.2

NIST SP
800-53
AC-3,
AC-17,
PE-17

Teleworking

A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites.

Yes

CLD.6.3

Relationship between cloud service customer and cloud service provider

ISO 27017:2021

CLD.6.3.1

Shared roles and responsibilities within a cloud computing environment

Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider.

[…]

Customer: Define procedure/policy and inform

A.7

Human resource security

A.7.1

Prior to employment

ISO 27002:2013

A.7.1.1

NIST SP
800-53
PS-3

Screening

Background verification checks on all candidates for employment shall be carried out in accordance with relevant laws, regulations and ethics and shall be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Yes

ISO 27002:2013

A.7.1.2

Terms and conditions of employment

The contractual agreements with employees and contractors shall state their and the organization’s responsibilities for information security.

Yes

A.7.2

During employment

ISO 27002:2013

A.7.2.1

Management responsibilities

Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

Yes

ISO 27002:2013

A.7.2.2

NIST SP
800-53
AT-2,
AT-3,
IR-2

Information security awareness, education and training

All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.

Yes

ISO 27017:2021

The cloud service customer should add the following items to awareness, education and training programmes for cloud service business managers, cloud service administrators, cloud service integrators and cloud service users, including relevant employees and contractors: […]

Yes

ISO 27017:2021

Yes

ISMAP

7.2.2.19.PB

Cloud service providers provide education and training to raise awareness among employees regarding the proper handling of cloud service customer data and cloud service derived data, and require contract parties to do the same.

Yes

ISO 27002:2013

A.7.2.3

Disciplinary process

There shall be a formal and communicated disciplinary process in place to take action against employees who have committed an information security breach.

Yes

A.7.3

Termination and change of employment

ISO 27002:2013

A.7.3.1

NIST SP
800-53
PS-4,
PS-5

Termination or change of employment responsibilities

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced.

Yes

A.8

Asset management

A.8.1

Responsibility for assets

ISO 27002:2013

A.8.1.1

NIST SP
800-53
CM-8

Inventory of assets

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

Yes

ISO 27017:2021

The cloud service customer's inventory of assets should account for information and associated assets stored in the cloud computing environment. The records of the inventory should indicate where the assets are maintained, e.g. identification of the cloud service.

ISO 27017:2021

The inventory of assets of the cloud service provider should explicitly identify:

–cloud service customer data;

ISO 27002:2013

A.8.1.2

NIST SP
800-53
CM-8

Ownership of assets

Assets maintained in the inventory shall be owned.

Yes

ISMAP

8.1.2.7.PB

The cloud service provider provides the cloud service customer with one of the

following to manage the assets (including backups) of such customer.

1. A function that encrypts the assets managed by the relevant customer before they are recorded (including backups) on a storage medium, and enables the relevant customer to manage and delete the encryption key
2. Information necessary for the relevant customer to implement the function of encrypting the assets managed by the relevant customer before recording (including backup) them on the storage media, and manage and delete the cryptographic keys

ISO 27002:2013

A.8.1.3

Acceptable use of assets

Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented.

Yes

A.8.1.4

NIST SP
800-53
PS-4,
PS-5

Return of assets

All employees and external party users shall return all of the organizational assets in their possession upon termination of their employment, contract or agreement.

Yes

ISO 27017:2021

CLD.8.1.5

Removal of cloud service customer assets

Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement.

[…]

Customer: Request a documented description of the termination

Yes

A.8.2

Information classification

A.8.2.1

Classification of information

Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.

Yes

A.8.2.2

NIST SP
800-53
MP-3

Labelling of information

An appropriate set of procedures for information labelling shall be developed and implemented in accordance with the information classification scheme adopted by the organization.

Yes

The cloud service customer should label information and associated assets maintained in the cloud computing environment in accordance with the cloud service customer's adopted procedures for labelling. […]

Yes

The cloud service provider should document and disclose any service functionality it provides allowing cloud service customers to classify and label their information and associated assets.

Yes

ISMAP

8.2.2.7.PB

The cloud service provider documents and discloses the service functions that allow cloud service customers to classify and label the information and related assets handled by the cloud service providers.

Yes

ISO 27002:2013

A.8.2.3

NIST SP
800-53
MP-2,
MP-4,
MP-6,
MP-5,
MP-7,
SC-8,
SC-28

Handling of assets

Procedures for handling assets shall be developed and implemented in accordance with the information classification scheme adopted by the organization

Yes

A.8.3

Media handling

ISO 27002:2013

A.8.3.1

NIST SP
800-53
MP-2,
MP-4,
MP-6,
MP-7

Management of removable media

Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Yes

ISO 27002:2013

A.8.3.2

NIST SP
800-53
MP-6

Disposal of media

Media shall be disposed of securely when no longer required, using formal procedures.

Yes

ISO 27002:2013

A.8.3.3

NIST SP
800-53
MP-5

Physical media transfer

Media containing information shall be protected against unauthorized access, misuse or corruption during transportation

Yes

A.9

Access control

A.9.1

Business requirements of access control

ISO 27002:2013

A.9.1.1

Access control policy

An access control policy shall be established, documented and reviewed based on business and information security requirements.

Yes

ISO 27002:2013

A.9.1.2

NIST SP
800-53
AC-3,
AC-6

Access to networks and network services

Users shall only be provided with access to the network and network services that they have been specifically authorized to use.

Yes

ISO 27017:2021

A.9.2

User access management

ISO 27002:2013

A.9.2.1

NIST SP
800-53
AC-2,
IA-2,
IA-4,
IA-5

User registration and de-registration

A formal user registration and de-registration process shall be implemented to enable assignment of access rights.

Yes

ISO 27017:2021

To manage access to cloud services by a cloud service customer's cloud service users, the cloud service provider should provide user registration and deregistration functions, and specifications for the use of these functions to the cloud service customer.

ISO 27002:2013

A.9.2.2

NIST SP 800-53
AC-2

User access provisioning

A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services

Yes

ISO 27017:2021

The cloud service provider should provide functions for managing the access rights of the cloud service customer's cloud service users, and specifications for the use of these functions.

Yes

A.9.2.3

NIST SP
800-53
AC-2,
AC-6,
CM-5

Management of privileged access rights

The allocation and use of privileged access rights shall be restricted and controlled.

Yes

Depending on the identified risks, cloud service providers provide sufficiently strong authentication technologies for administrator authentication of cloud service customers that are tailored to the management capabilities of the cloud service

A.9.2.4

NIST SP
800-53
IA-5

Management of secret authentication information of users

The allocation of secret authentication information shall be controlled through a formal management process.

Yes

A.9.2.5

NIST SP
800-53
AC-2

Review of user access rights

Asset owners shall review users’ access rights at regular intervals.

Yes

A.9.2.6

NIST SP
800-53
AC-2

Removal or adjustment of access rights

The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.

Yes

A.9.3

User responsibilities

A.9.3.1

NIST SP
800-53
IA-5

Use of secret authentication information

Users shall be required to follow the organization’s practices in the use of secret authentication information

Yes

A.9.4

System and application access control

A.9.4.1

NIST SP
800-53
AC-3

Information access restriction

Access to information and application system functions shall be restricted in accordance with the access control policy.

Yes

ISO 27017:2021

The cloud service customer should ensure that access to information in the cloud service can be restricted in accordance with its access control policy and that such restrictions are realized. This includes restricting access to cloud services, cloud service functions, and cloud service customer data maintained in the service.

Yes

ISO 27017:2021

The cloud service provider should provide access controls that allow the cloud service customer to restrict access to its cloud services, its cloud service functions and the cloud service customer data maintained in the service.

Yes

A.9.4.2

NIST SP
800-53
AC-7,
AC-8,
IA-6

Secure log-on procedures

Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.

Yes

NIST SP
800-53

IA-2(8)

The information system, for password-based authentication:

1. Enforces minimum password complexity of organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type;
2. Enforces at least the following number of changed characters when new passwords are created: organization-defined number;
3. Stores and transmits only cryptographically-protected passwords;
4. Enforces password minimum and maximum lifetime restrictions of organization-defined numbers for lifetime minimum, lifetime maximum;
5. Prohibits password reuse for organization-defined number generations; and
6. Allows the use of a temporary password for system logons with an immediate change to a permanent password.

A.9.4.3

NIST SP
800-53
IA-5

Password management system

Password management systems shall be interactive and shall ensure quality passwords.

Yes

A.9.4.4

NIST SP 800-53
AC-3,
AC-6

Use of privileged utility programs

The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.

Yes

ISO 27017:2021

Where the use of utility programs is permitted, the cloud service customer should identify the utility programs to be used in its cloud computing environment, and ensure that they do not interfere with the controls of the cloud service.

ISO 27017:2021

The cloud service provider should identify the requirements for any utility programs used within the cloud service. The cloud service provider should ensure that any use of utility programs capable of bypassing normal operating or security procedures is strictly limited to authorized personnel, and that the use of such programs is reviewed and audited regularly.

Authorize access for organization-defined individuals or roles to:

• organization-defined security functions (deployed in hardware, software, and firmware); and
• organization-defined security-relevant information.

A.9.4.5

NIST SP
800-53
AC-3,
AC-6,
CM-5

Access control to program source code

Access to program source code shall be restricted.

Yes

CLD.9.5

Access control of cloud service customer data in shared virtual environment

ISO 27017:2021

CLD.9.5.1

Segregation in virtual computing environments

A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons.

[…]

Applies to provider only.

ISO 27017:2021

CLD.9.5.2

Virtual machine hardening

Virtual machines in a cloud computing environment should be hardened to meet business needs.

[…]

Applies to both customer and provider.

ISMAP

9.5.2.PB

When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened […], and that the appropriate technical measures are in place […] for each virtual machine used.

A.10

Cryptography

A.10.1

Cryptographic controls

ISO 27002:2013

A.10.1.1

NIST SP 800-53
SC-13

Policy on the use of cryptographic controls

A policy on the use of cryptographic controls for protection of information shall be developed and implemented.

Yes

The cloud service customer should implement cryptographic controls for its use of cloud services if justified by the risk analysis. […]

Yes

The cloud service provider should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the information it processes. […]

Yes

The cloud service provider provides the cloud service customer with the capability to use cryptographic techniques to protect the information processed by the customer, or provides information about the environment in which the cryptographic techniques are used.

Yes

ISO 27002:2013

A.10.1.2

NIST SP 800-53
SC-12

Key management

A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle

Yes

ISO 27017:2021

The cloud service customer should identify the cryptographic keys for each cloud service, and implement procedures for key management.

Yes

ISMAP

10.1.2.20.PB

The cloud service provider provides a cloud service customer with a function that allows said customer to manage cryptographic keys used to encrypt information managed by said customer, or provides information on how said customer manages cryptographic keys

Yes

A.11

Physical and environmental security

A.11.1

Secure areas

ISO 27002:2013

A.11.1.1

NIST SP
800-53
PE-3

Physical security perimeter

Security perimeters shall be defined and used to protect areas that contain either sensitive or critical information and information processing facilities.

Yes

ISO 27002:2013

A.11.1.2

NIST SP
800-53
PE-2,
PE-4,
PE-5,
PE-3

Physical entry controls

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access.

Yes

ISO 27002:2013

A.11.1.3

NIST SP
800-53
PE-5,
PE-3

Securing offices, rooms and facilities

Physical security for offices, rooms and facilities shall be designed and applied.

Yes

ISO 27002:2013

A.11.1.4

Protecting against external and environmental threats

Physical protection against natural disasters, malicious attack or accidents shall be designed and applied

Yes

ISO 27002:2013

A.11.1.5

Working in secure areas

Procedures for working in secure areas shall be designed and applied.

Yes

ISO 27002:2013

A.11.1.6

Delivery and loading areas

Access points such as delivery and loading areas and other points where unauthorized persons could enter the premises shall be controlled and, if possible, isolated from information processing facilities to avoid unauthorized access.

Yes

The organization:

1. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;
2. Reviews physical access logs organization-defined frequency and upon occurrence of organization-defined events or potential indications of events; and
3. Coordinates results of reviews and investigations with the organizational incident response capability.

A.11.2

Equipment

ISO 27002:2013

A.11.2.1

Equipment siting and protection

Equipment shall be sited and protected to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.

Yes

ISO 27002:2013

A.11.2.2

Supporting utilities

Equipment shall be protected from power failures and other disruptions caused by failures in supporting utilities.

Yes

ISO 27002:2013

A.11.2.3

NIST SP 800-53
PE-4

Cabling security

Power and telecommunications cabling carrying data or supporting information services shall be protected from interception, interference or damage.

Yes

ISO 27002:2013

A.11.2.4

NIST SP
800-53
MA-2

Equipment maintenance

Equipment shall be correctly maintained to ensure its continued availability and integrity.

Yes

The organization:

1. Approves and monitors nonlocal maintenance and diagnostic activities;
2. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;
3. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;
4. Maintains records for nonlocal maintenance and diagnostic activities; and
5. Terminates session and network connections when nonlocal maintenance is completed.

The organization:

1. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;
2. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and
3. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.

ISO 27002:2013

A.11.2.5

NIST SP
800-53
MA-2,
MA-5

Removal of assets

Equipment, information or software shall not be taken off-site without prior authorization.

Yes

A.11.2.6

NIST SP
800-53
AC-19,
AC-20,
MP-5,
PE-17

Security of equipment and assets off-premises

Security shall be applied to off-site assets taking into account the different risks of working outside the organization’s premises.

Yes

A.11.2.7

NIST SP
800-53
MP-6

Secure disposal or reuse of equipment

All items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal or re-use.

Yes

ISO 27017:2021

The cloud service customer should request confirmation that the cloud service provider has the policies and procedures for secure disposal or reuse of resources.

Yes

ISO 27017:2021

The cloud service provider should ensure that arrangements are made for the secure disposal or reuse of resources (e.g. equipment, data storage, files, memory) in a timely manner.

Yes

ISO 27002:2013

A.11.2.8

NIST SP
800-53
AC-11

Unattended user equipment

Users shall ensure that unattended equipment has appropriate protection.

Yes

ISO 27002:2013

A.11.2.9

NIST SP

800-53
AC-11,
MP-2,
MP-4

Clear desk and clear screen policy

A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities shall be adopted.

Yes

A.12

Operations security

A.12.1

Operational procedures and responsibilities

ISO 27002:2013

A.12.1.1

Documented operating procedures

Operating procedures shall be documented and made available to all users who need them.

Yes

ISO 27002:2013

A.12.1.2

NIST SP
800-53
CM-3,
CM-5

Change management

Changes to the organization, business processes, information processing facilities and systems that affect information security shall be controlled.

Yes

ISO 27017:2021

The cloud service customer's change management process should take into account the impact of any changes made by the cloud service provider.

Yes

ISO 27017:2021

The cloud service provider should provide the cloud service customer with information regarding changes to the cloud service that could adversely affect the cloud service. […]

Yes

ISMAP

12.1.2.11.PB

The cloud service provider provides cloud service customers with information about changes in cloud services that can adversely affect the information security of cloud service customers

Yes

The organization:

1. Establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements;
2. Implements the configuration settings;
3. Identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and
4. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

ISO 27002:2013

A.12.1.3

Capacity management

The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance.

Yes

ISO 27017:2021

The cloud service customer should ensure that the agreed capacity provided by the cloud service meets the cloud service customer's requirements. […]

ISO 27017:2021

The cloud service provider should monitor the total resource capacity to prevent information security incidents caused by resource shortages.

ISO 27002:2013

A.12.1.4

NIST SP
800-53
CM-5

Separation of development, testing and operational environment

Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment.

Yes

ISO 27017:2021

CLD.12.1.5

Administrator's operational security

Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored.

[…]

Customer: Document procedures for critical operations

Provider: Provide documentation about the critical operations

Yes

A.12.2

Protection from malware

A.12.2.1

NIST SP
800-53
AT-2,
SI-3

Controls against malware

Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness

Yes

A.12.3

Backup

ISO 27002:2013

A.12.3.1

NIST SP
800-53
CP-9

Information backup

Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup

Yes

ISO 27017:2021

Where the cloud service provider provides backup capability as part of the cloud service, the cloud service customer should request the specifications of the backup capability from the cloud service provider. […]

Yes

ISO 27017:2021

The cloud service provider should provide the specifications of its backup capabilities to the cloud service customer. […]

Yes

A.12.4

Logging and monitoring

ISO 27002:2013

A.12.4.1

NIST SP 800-53
AU-3,
AU-6,
AU-11,
AU-12

Event logging

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.

Yes

ISO 27017:2021

The cloud service customer should define its requirements for event logging and verify that the cloud service meets those requirements.

Yes

ISO 27017:2021

The cloud service provider should provide logging capabilities to the cloud service customer.

Yes

The organization:

1. Determines that the information system is capable of auditing the following events: organization-defined auditable events;
2. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
3. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
4. Determines that the following events are to be audited within the information system: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event.

The information system:

1. Alerts organization-defined personnel or roles in the event of an audit processing failure; and
2. Takes the following additional actions: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

The information system provides an audit reduction and report generation capability that:

1. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
2. Does not alter the original content or time ordering of audit records.

ISO 27002:2013

A.12.4.2

NIST SP
800-53
AU-9

Protection of log information

Logging facilities and log information shall be protected against tampering and unauthorized access.

Yes

ISO 27002:2013

A.12.4.3

NIST SP
800-53
AU-9,
AU-11

Administrator and operator logs

System administrator and system operator activities shall be logged, and the logs protected and regularly reviewed.

Yes

ISO 27002:2013

A.12.4.4

NIST SP
800-53
AU-8

Clock synchronisation

The clocks of all relevant information processing systems within an organization or security domain shall be synchronised to a single reference time source.

Yes

ISO 27017:2021

The cloud service customer should request information about the clock synchronization used for the cloud service provider's systems.

Yes

ISO 27017:2021

The cloud service provider should provide information to the cloud service customer regarding the clock used by the cloud service provider's systems, and information about how the cloud service customer can synchronize local clocks with the cloud service clock.

Yes

Time Stamps:
Synchronization With Authoritative Time Source

The information system:

1. Compares the internal information system clocks organization-defined frequency with organization-defined authoritative time source; and
2. Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than organization-defined time period.

The organization:

1. Monitors the information system to detect:
   1. Attacks and indicators of potential attacks in accordance with organization-defined monitoring objectives; and
   2. Unauthorized local, network, and remote connections;
2. Identifies unauthorized use of the information system through organization-defined techniques and methods;
3. Deploys monitoring devices:
   1. Strategically within the information system to collect organization-determined essential information; and
   2. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
4. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;
5. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;
6. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and
7. Provides organization-defined information system monitoring information to organization-defined personnel or roles as needed or by organization-defined frequency.

ISO 27017:2021

CLD.12.4.5

Monitoring of Cloud Services

The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses.[…]

Customer: Request information from of the service monitoring capabilities

Provider: Provide capabilities

Yes

Yes

ISO 27002:2013

A.12.5.1

NIST SP
800-53
CM-5,
CM-7,
CM-11

Installation of software on operational systems

Procedures shall be implemented to control the installation of software on operational systems.

Yes

A.12.6

Technical vulnerability management

ISO 27002:2013

A.12.6.1

NIST SP
800-53
RA-3,
RA-5,
SI-2

Management of technical vulnerabilities

Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.

Yes

ISO 27017:2021

The cloud service customer should request information from the cloud service provider about the management of technical vulnerabilities that can affect the cloud services provided.

Yes

ISO 27017:2021

The cloud service provider should make available to the cloud service customer information about the management of technical vulnerabilities that can affect the cloud services provided.

Yes

ISO 27002:2013

A.12.6.2

NIST SP
800-53
CM-11

Restrictions on software installation

Rules governing the installation of software by users shall be established and implemented.

Yes

The organization:

1. Reviews the information system organization-defined frequency to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
2. Disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

The organization:

1. Identifies organization-defined software programs not authorized to execute on the information system;
2. Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and

The organization:

1. Identifies organization-defined software programs authorized to execute on the information system;
2. Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
3. Reviews and updates the list of authorized software programs organization-defined frequency.

The organization:

1. Defines acceptable and unacceptable mobile code and mobile code technologies;
2. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and
3. Authorizes, monitors, and controls the use of mobile code within the information system.

A.12.7

Information systems audit considerations

ISO 27002:2013

A.12.7.1

Information systems audit controls

Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business

Yes

A.13

Communications security

A.13.1

Network security management

ISO 27002:2013

A.13.1.1

NIST SP
800-53
AC-3,
AC-17,
AC-18,
AC-20,
SC-7,
SC-8,
SC-10

Network controls

Networks shall be managed and controlled to protect information in systems and applications.

Yes

ISO 27002:2013

A.13.1.2

Security of network services

Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced.

Yes

ISO 27002:2013

A.13.1.3

NIST SP
800-53
AC-4,
SC-7

Segregation in networks

Groups of information services, users and information systems shall be segregated on networks.

Yes

ISO 27017:2021

The cloud service customer should define its requirements for segregating networks to achieve tenant isolation in the shared environment of a cloud service and verify that the cloud service provider meets those requirements.

Yes

ISO 27017:2021

The cloud service provider should enforce segregation of network access for the following cases: […]

Yes

ISO 27017:2021

CLD.13.1.4

Alignment of security management for virtual and physical networks

Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy.

No

A.13.2

Information transfer

ISO 27002:2013

A.13.2.1

NIST SP
800-53
AC-4,
AC-17,
AC-18,
AC-19,
AC-20,
PE-17,
SC-7,
SC-8,
SC-15

Information transfer policies and procedures

Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.

Yes

ISO 27002:2013

A.13.2.2

Agreements on information transfer

Agreements shall address the secure transfer of business information between the organization and external parties.

Yes

ISO 27002:2013

A.13.2.3

NIST SP 800-53
SC-8

Electronic messaging

Information involved in electronic messaging shall be appropriately protected.

Yes

The organization:

1. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and

ISO 27002:2013

A.13.2.4

Confidentiality or nondisclosure agreements

Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed and documented.

Yes

A.14

System acquisition, development and maintenance

A.14.1

Security requirements of information systems

ISO 27002:2013

A.14.1.1

Information security requirements analysis and specification

The information security related requirements shall be included in the requirements for new information systems or enhancements to existing information systems.

Yes

ISO 27017:2021

The cloud service customer should determine its information security requirements for the cloud service and then evaluate whether services offered by a cloud service provider can meet these requirements. […]

Yes

ISO 27017:2021

The cloud service provider should provide information to the cloud service customers about the information security capabilities they use. […]

Yes

ISO 27002:2013

A.14.1.2

NIST SP
800-53
AC-3,
AC-4,
AC-17,
SC-8,
SC-13

Securing application services on public networks

Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.

Yes

ISO 27002:2013

A.14.1.3

NIST SP 800-53
AC-3,
AC-4,
SC-7,
SC-8,
SC-13

Protecting application services transactions

Information involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay.

Yes

A.14.2

Security in development and support processes

ISO 27002:2013

A.14.2.1

Secure development policy

Rules for the development of software and systems shall be established and applied to developments within the organization.

Yes

ISO 27017:2021

The cloud service customer should request information from the cloud service provider about the cloud service provider's use of secure development procedures and practices

Yes

ISO 27017:2021

The cloud service provider should provide information about its use of secure development procedures and practices to the extent compatible with its policy for disclosure.

Yes

ISO 27002:2013

A.14.2.2

NIST SP 800-53
CM-3,
SI-2

System change control procedures

Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures.

Yes

ISO 27002:2013

A.14.2.3

NIST SP 800-53
CM-3,
CM-4,
SI-2

Technical review of applications after operating platform changes

When operating platforms are changed, business critical applications shall be reviewed and tested to ensure there is no adverse impact on organizational operations or security.

Yes

ISO 27002:2013

A.14.2.4

NIST SP
800-53
CM-3

Restrictions on changes to software packages

Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled.

Yes

ISO 27002:2013

A.14.2.5

NIST SP
800-53
SA-8

Secure system engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system implementation efforts.

Yes

ISO 27002:2013

A.14.2.6

Secure development environment

Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.

Yes

ISO 27002:2013

A.14.2.7

Outsourced development

The organization shall supervise and monitor the activity of outsourced system development.

Yes

ISO 27002:2013

A.14.2.8

NIST SP
800-53
CA-2

System security testing

Testing of security functionality shall be carried out during development.

Yes

ISO 27002:2013

A.14.2.9

System acceptance testing

Acceptance testing programs and related criteria shall be established for new information systems, upgrades and new versions.

Yes

A.14.3

Test data

ISO 27002:2013

A.14.3.1

Protection of test data

Test data shall be selected carefully, protected and controlled.

Yes

A.15

Supplier relationships

A.15.1

Information security in supplier relationships

ISO 27002:2013

A.15.1.1

Information security policy for supplier relationships

Information security requirements for mitigating the risks associated with supplier’s access to the organization’s assets shall be agreed with the supplier and documented.

Yes

ISO 27017:2021

The cloud service customer should include the cloud service provider as a type of supplier in its information security policy for supplier relationships. This will help to mitigate risks associated with the cloud service provider's access to and management of the cloud service customer data.

Yes