Cloud Security in ISO 27002:2022

•

ISO 27002 now specifically covers Cloud Security. This is what you must do to comply … 🧵 👉 #cloudsecurity #cloudcomputing #cybersecurity #infosec #iso27001 #iso27002

While the previous version of #iso27001 #iso27002 only mentions cloud services once, in a sub-control of the Supplier relationships chapter (A 15.1.3), the 2022 version now has a dedicated control 'Information security for use of cloud services'. #cloudsecurity #cloudcomputing

Control 5.23 brings together relevant security mgt aspects from previous controls for services and supply chain mgt, systems requirements specification, ‘application services on public networks’, and adds some detail inspired by privacy regulation. #cloudsecurity #privacy #gdpr

Also, items from ISO 27017 and 27018 – standards dealing with public cloud services and PII processing – have been incorporated in the new control 5.23 Information security for use of cloud services. #cloudsecurity #cloudcomputing #cybersecurity #infosec #iso27001 #privacy #gdpr

These are the main actions you need to take: 1) Define policies for the selection, use and termination of cloud services; 2) Review cloud service agreements; 3) Perform risk assessments for the use of cloud services. 👉️ Next: requirements for Policies and Agreements ...

The #iso27002 implementation guidance for Control 5.23 specifies requirements for Cloud service policies and Agreements with cloud service providers.

#iso27002 main points for Cloud service policies (1/3): - security requirements and selection criteria - usage scope - integration with and between services - change mgt - termination procedures - roles and responsibilities for the use of cloud services ... #cloudsecurity

#iso27002 main points for Cloud service policies (2/3): - division between security controls managed by the provider and managed by the organization - assurance of security controls managed by the provider - usage of security capabilities of the cloud service ... #cloudsecurity

#iso27002 main points for Cloud service policies (3/3): - procedures for monitoring, reviewing and evaluating information security risks wrt cloud service usage - procedures for managing #infosec incidents. 👉️ Next: Cloud service Agreements ... #cloudsecurity #cybersecurity

#iso27002 main points for Agreements with cloud service providers (1/2): - usage of industry standards for #architecture and #infrastructure - access controls meet organization's reqs. - use of anti-malware - specification of data storage locations ... #cloudsecurity #infosec

#iso27002 main points for Agreements with cloud service providers (2/2): - incident support - #infosec when sub-contracting - support for exiting the service - #backups and backup mgt - providing organization-owned data if requested - advance notification of service changes.

I hope this thread will help in preparing your #cloudsecurity management for the transition to the new ISO 27001 later this year. Contact me with any #iso27001 #iso27002 questions you may have. Stay safe and secure! – @richardk #cloudcomputing #cybersecurity #infosec