Cloud Controls and ISO 27017 List

Cloud Controls and ISO 27017 List
Control
Cloud Control / Control Control Group Control Sub
Number Shortcode Short Control
ISO Group Number Group
specific
CC Multi 3 1 Multi Tenancy CC-MULTI-01 Cloud provider

Tenancy capacity management
CC Multi 3 2 Multi Tenancy CC-MULTI-02 Acceptable activities
Tenancy other customers
CC Multi 3 3 Multi Tenancy CC-MULTI-03 Isolation failure risk

Tenancy
CC Multi 3 4 Multi Tenancy CC-MULTI-04 Network segregation

Tenancy
CC Multi 3 5 Multi Tenancy CC-MULTI-05 Control over hardware

Tenancy in case of subpoena's
CC Outsourcing 2 1 Management CC-OUTS-01 Clear agreements

Information
and Control
CC Outsourcing Management CC-OUTS-39 Changes to

Information agreements
and Control
CC Outsourcing 2 2 Management CC-OUTS-02 Portability of services
Information
and Control
CC Outsourcing 2 3 Management CC-OUTS-03 Customer risk
Information assessment
and Control
CC Outsourcing 2 4 Management CC-OUTS-04 Cloud provider
Information compliance with SLA
and Control
CC Outsourcing 2 5 Management CC-OUTS-05 Breach of uptime

Information commitment
and Control
CC Outsourcing 2 6 Management CC-OUTS-06 Information on audits
Information and control over non
and Control compliance measures
CC Outsourcing 2 7 Management CC-OUTS-07 Extreme provisioning

Information requests
and Control
CC Outsourcing 2 8 Management CC-OUTS-08 Control over assets at

Information cloud provider
and Control termination
CC Outsourcing 2 9 Management CC-OUTS-09 Canceling of services
Information
and Control
CC Outsourcing 2 10 Management CC-OUTS-10 Control over

Information interruption of
and Control services
CC Outsourcing 2 11 Legal Process CC-OUTS-11 Data location and

applicable
jurisdictions
CC Outsourcing 2 12 Legal Process CC-OUTS-12 Evidence collection
CC Outsourcing 2 13 Legal Process CC-OUTS-13 Customer

investigations
CC Outsourcing 2 14 Legal Process CC-OUTS-14 Review of agreements

and law
CC Outsourcing 2 15 Legal Process CC-OUTS-15 Disclosure of relevant

legislation and
regulatory contacts
CC Outsourcing 2 16 Legal Process CC-OUTS-16 Secure data

ownership
CC Outsourcing 2 17 Legal Process CC-OUTS-17 Legal response
CC Outsourcing 2 18 Privacy and CC-OUTS-18 Privacy policy

Access to
Data
CC Outsourcing 2 19 Privacy and CC-OUTS-19 Access of cloud

Access to provider personnel
Data
CC Outsourcing 2 20 Privacy and CC-OUTS-20 Data retention policy

Access to
Data
CC Outsourcing 2 21 Infrastructure CC-OUTS-21 Information over
Design availability and
performance
CC Outsourcing 2 22 Infrastructure CC-OUTS-22 Information on
Design resiliency
management
CC Outsourcing 2 23 Infrastructure CC-OUTS-23 Changes in
Design technology and
change management
CC Outsourcing 2 24 Security CC-OUTS-24 Information on

Process security status and
policy changes
CC Outsourcing 2 25 Security CC-OUTS-25 Security weaknesses
Process
CC Outsourcing 2 26 Security CC-OUTS-26 Conflicting roles

Process
CC Outsourcing 2 27 Security CC-OUTS-27 Customer
Process responsibility
regarding incidents
CC Outsourcing 2 28 Security CC-OUTS-28 Customer vulnerability
Process assessment
CC Outsourcing 2 29 Operational CC-OUTS-29 Information on

Process incidents
CC Outsourcing 2 30 Operational CC-OUTS-30 Information regarding

Process SLA performance and
service usage
CC Outsourcing 2 31 Operational CC-OUTS-31 Information and
Process planning regarding
maintenance and
information on
CC Outsourcing 2 32 Operational CC-OUTS-32 outages
Information on
Process degraded services
CC Outsourcing 2 33 Operational CC-OUTS-33 User manuals
Process
CC Outsourcing 2 34 Connecting to CC-OUTS-34 Management Interface

the service Protection
CC Outsourcing 2 35 Connecting to CC-OUTS-35 Customer payment

the service data
CC Outsourcing 2 36 Connecting to CC-OUTS-36 Management interface

the service access functionality
and policies
CC Outsourcing 2 37 Connecting to CC-OUTS-37 Management Interface

the service Availability
CC Outsourcing 2 38 Connecting to CC-OUTS-38 Customer personnel

the service authorisation
Availability Availability 1 1 Availability CC-AVAIL-01 Availability

ISO ISO 0 A.5.1.1 Security ISO27002 A.5.1.1 Information

policy A.5.1.1 Security Policy
document
ISO ISO 0 A.5.1.2 Security ISO27002 A.5.1.2 Review of the
policy A.5.1.2 information security
policy
ISO ISO 0 A.6.1.1 Organization ISO27002 A.6.1.1 Management
of information A.6.1.1 commitment to
security information security
ISO ISO 0 A.6.1.2 Organization ISO27002 A.6.1.2 Information
of information A.6.1.2 security coordination
security
ISO ISO 0 A.6.1.3 Organization ISO27002 A.6.1.3 Allocation of
of information A.6.1.3 information security
security responsibilities
ISO ISO 0 A.6.1.4 Organization ISO27002 A.6.1.4 Authorization
of information A.6.1.4 process for
security information
processing facilities
ISO ISO 0 A.6.1.5 Organization ISO27002 A.6.1.5 Confidentiality
of information A.6.1.5 agreements
security
ISO ISO 0 A.6.1.6 Organization ISO27002 A.6.1.6 Contact with
of information A.6.1.6 authorities
security
ISO ISO 0 A.6.1.7 Organization ISO27002 A.6.1.7 Contact with
of information A.6.1.7 special interest
security groups
ISO ISO 0 A.6.1.8 Organization ISO27002 A.6.1.8 Independent
of information A.6.1.8 review of information
security security
ISO ISO 0 A.6.2.1 Organization ISO27002 A.6.2.1 Identification
of information A.6.2.1 of risks related to
security external parties
ISO ISO 0 A.6.2.2 Organization ISO27002 A.6.2.2 Addressing
of information A.6.2.2 security when dealing
security with customers
ISO ISO 0 A.6.2.3 Organization ISO27002 A.6.2.3 Addressing
of information A.6.2.3 security in third party
security agreements
ISO ISO 0 A.7.1.1 Asset ISO27002 A.7.1.1 inventory of
Management A.7.1.1 assets
ISO ISO 0 A.7.1.2 Asset ISO27002 A.7.1.2 Ownership of
Management A.7.1.2 assets
ISO ISO 0 A.7.1.3 Asset ISO27002 A.7.1.3 Acceptable use
Management A.7.1.3 of assets
ISO ISO 0 A.7.2.1 Asset ISO27002 A.7.2.1 Classification
Management A.7.2.1 guidelines
ISO ISO 0 A.7.2.2 Asset ISO27002 A.7.2.2 Information
Management A.7.2.2 labelling and handling
ISO ISO 0 A.8.1.1 Human ISO27002 A.8.1.1 Roles and
resources A.8.1.1 responsibilities
security
ISO ISO 0 A.8.1.2 Human ISO27002 A.8.1.2 Screening
resources A.8.1.2
security
ISO ISO 0 A.8.1.3 Human ISO27002 A.8.1.3 Terms and
resources A.8.1.3 conditions of
security employment
ISO ISO 0 A.8.2.1 Human ISO27002 A.8.2.1 Management

security
ISO ISO 0 A.8.2.2 Human ISO27002 A.8.2.2 Information
resources A.8.2.2 security awareness,
security education and training
ISO ISO 0 A.8.2.3 Human ISO27002 A.8.2.3 Disciplinary
resources A.8.2.3 process
security
ISO ISO 0 A.8.3.1 Human ISO27002 A.8.3.1 Termination

security
ISO ISO 0 A.8.3.2 Human ISO27002 A.8.3.2 Return of

resources A.8.3.2 assets
security
ISO ISO 0 A.8.3.3 Human ISO27002 A.8.3.3 Removal of
resources A.8.3.3 access rights
security
ISO ISO 0 A.9.1.1 Physical and ISO27002 A.9.1.1 Physical
environmenta A.9.1.1 security perimeter
l security
ISO ISO 0 A.9.1.2 Physical and ISO27002 A.9.1.2 Physical entry
environmenta A.9.1.2 controls
l security
ISO ISO 0 A.9.1.3 Physical and ISO27002 A.9.1.3 Securing
environmenta A.9.1.3 offices, rooms and
l security facilities
ISO ISO 0 A.9.1.4 Physical and ISO27002 A.9.1.4 Protecting
environmenta A.9.1.4 against external and
l security environmental threats
ISO ISO 0 A.9.1.5 Physical and ISO27002 A.9.1.5 Working in
environmenta A.9.1.5 secure areas
l security
ISO ISO 0 A.9.1.6 Physical and ISO27002 A.9.1.6 Public access,
environmenta A.9.1.6 delivery and loading
l security areas
ISO ISO 0 A.9.2.1 Physical and ISO27002 A.9.2.1 Equipment
environmenta A.9.2.1 siting and protection
l security
ISO ISO 0 A.9.2.2 Physical and ISO27002 A.9.2.2 Supporting
environmenta A.9.2.2 utilities
l security
ISO ISO 0 A.9.2.3 Physical and ISO27002 A.9.2.3 Cabling
environmenta A.9.2.3 security
l security
ISO ISO 0 A.9.2.4 Physical and ISO27002 A.9.2.4 Equipment
environmenta A.9.2.4 maintenance
l security
ISO ISO 0 A.9.2.5 Physical and ISO27002 A.9.2.5 Security of
environmenta A.9.2.5 equipment off-
l security premises
ISO ISO 0 A.9.2.6 Physical and ISO27002 A.9.2.6 Secure
environmenta A.9.2.6 disposal or re-use of
l security equipment
ISO ISO 0 A.9.2.7 Physical and ISO27002 A.9.2.7 Removal of
environmenta A.9.2.7 property
l security
ISO ISO 0 A.10.1.1 Communicati ISO27002 A.10.1.1 Documented
ons and A.10.1.1 Operating procedures
operations
management
ISO ISO 0 A.10.1.2 Communicati ISO27002 A.10.1.2 Change
ons and A.10.1.2 management
operations
management
ISO ISO 0 A.10.1.3 Communicati ISO27002 A.10.1.3 Segregation
ons and A.10.1.3 of duties
operations
management
ISO ISO 0 A.10.1.4 Communicati ISO27002 A.10.1.4 Separation of
ons and A.10.1.4 development, test and
operations operational facilities
management
ISO ISO 0 A.10.2.1 Communicati ISO27002 A.10.2.1 Service
ons and A.10.2.1 delivery
operations
management
ISO ISO 0 A.10.2.2 Communicati ISO27002 A.10.2.2 Monitoring
ons and A.10.2.2 and review of third
operations party services
management
ISO ISO 0 A.10.2.3 Communicati ISO27002 A.10.2.3 Managing
ons and A.10.2.3 changes to third party
operations services
management
ISO ISO 0 A.10.3.1 Communicati ISO27002 A.10.3.1 Capacity
ons and A.10.3.1 management
operations
management
ISO ISO 0 A.10.3.2 Communicati ISO27002 A.10.3.2 System
ons and A.10.3.2 acceptance
operations
management
ISO ISO 0 A.10.4.1 Communicati ISO27002 A.10.4.1 Controls
ons and A.10.4.1 against malicious
operations code
management
ISO ISO 0 A.10.4.2 Communicati ISO27002 A.10.4.2 Controls
ons and A.10.4.2 against mobile code
operations
management
ISO ISO 0 A.10.5.1 Communicati ISO27002 A.10.5.1 Information
ons and A.10.5.1 back-up
operations
management
ISO ISO 0 A.10.6.1 Communicati ISO27002 A.10.6.1 Network
ons and A.10.6.1 controls
operations
management
ISO ISO 0 A.10.6.2 Communicati ISO27002 A.10.6.2 Security of
ons and A.10.6.2 network services
operations
management
ISO ISO 0 A.10.7.1 Communicati ISO27002 A.10.7.1 Management
ons and A.10.7.1 of removable media
operations
management
ISO ISO 0 A.10.7.2 Communicati ISO27002 A.10.7.2 Disposal of
ons and A.10.7.2 media
operations
management
ons and A.10.7.3 handling procedures
operations
management
ISO ISO 0 A.10.7.4 Communicati ISO27002 A.10.7.4 Security of
ons and A.10.7.4 system
operations documentation
management
ons and A.10.8.1 exchange policies and
operations procedures
management
ISO ISO 0 A.10.8.2 Communicati ISO27002 A.10.8.2 Exchange
ons and A.10.8.2 agreements
operations
management
ISO ISO 0 A.10.8.3 Communicati ISO27002 A.10.8.3 Physical
ons and A.10.8.3 media in transit
operations
management
ISO ISO 0 A.10.8.4 Communicati ISO27002 A.10.8.4 Electronic
ons and A.10.8.4 messaging
operations
management
ISO ISO 0 A.10.8.5 Communicati ISO27002 A.10.8.5 Business
ons and A.10.8.5 information systems
operations
management
ISO ISO 0 A.10.9.1 Communicati ISO27002 A.10.9.1 Electronic
ons and A.10.9.1 commerce
operations
management
ISO ISO 0 A.10.9.2 Communicati ISO27002 A.10.9.2 On-line
ons and A.10.9.2 transactions
operations
management
ISO ISO 0 A.10.9.3 Communicati ISO27002 A.10.9.3 Publicly
ons and A.10.9.3 available information
operations
management
ISO ISO 0 A.10.10.1 Communicati ISO27002 A.10.10.1 Audit
ons and A.10.10.1 logging
operations
management
ISO ISO 0 A.10.10.2 Communicati ISO27002 A.10.10.2 Monitoring
ons and A.10.10.2 system use
operations
management
ISO ISO 0 A.10.10.3 Communicati ISO27002 A.10.10.3 Protection of
ons and A.10.10.3 log information
operations
management
ISO ISO 0 A.10.10.4 Communicati ISO27002 A.10.10.4
ons and A.10.10.4 Administrator and
operations operator logs
management
ISO ISO 0 A.10.10.5 Communicati ISO27002 A.10.10.5 Fault
ons and A.10.10.5 logging
operations
management
ISO ISO 0 A.10.10.6 Communicati ISO27002 A.10.10.6 Clock
ons and A.10.10.6 synchronization
operations
management
ISO ISO 0 A.11.1.1 Access ISO27002 A.11.1.1 Access
control A.11.1.1 control policy
ISO ISO 0 A.11.2.1 Access ISO27002 A.11.2.1 User
control A.11.2.1 registration
ISO ISO 0 A.11.2.2 Access ISO27002 A.11.2.2 Privilege
control A.11.2.2 management
control A.11.2.3 password
ISO ISO 0 A.11.2.4 Access ISO27002 management
A.11.2.4 Review of
control A.11.2.4 user access rights
ISO ISO 0 A.11.3.1 Access ISO27002 A.11.3.1 Password use
control A.11.3.1
ISO ISO 0 A.11.3.2 Access ISO27002 A.11.3.2 Unattended
control A.11.3.2 user equipment
ISO ISO 0 A.11.3.3 Access ISO27002 A.11.3.3 Clear desk
control A.11.3.3 and screen policy
ISO ISO 0 A.11.4.1 Access ISO27002 A.11.4.1 Policy on use
control A.11.4.1 of network services
control A.11.4.2 authentication for
external connections
ISO ISO 0 A.11.4.3 Access ISO27002 A.11.4.3 Equipment
control A.11.4.3 identification in
networks
ISO ISO 0 A.11.4.4 Access ISO27002 A.11.4.4 Remote
control A.11.4.4 diagnostic and
configuration port
protection
ISO ISO 0 A.11.4.5 Access ISO27002 A.11.4.5 Segregation
control A.11.4.5 in networks
ISO ISO 0 A.11.4.6 Access ISO27002 A.11.4.6 Network

control A.11.4.6 connection control
ISO ISO 0 A.11.4.7 Access ISO27002 A.11.4.7 Network
control A.11.4.7 routing control
ISO ISO 0 A.11.5.1 Access ISO27002 A.11.5.1 Secure log-on
control A.11.5.1 procedures
control A.11.5.2 identification and
authentication
ISO ISO 0 A.11.5.3 Access ISO27002 A.11.5.3 Password
control A.11.5.3 management system
ISO ISO 0 A.11.5.4 Access ISO27002 A.11.5.4 Use of system
control A.11.5.4 utilities
ISO ISO 0 A.11.5.5 Access ISO27002 A.11.5.5 Session time-
control A.11.5.5 out
ISO ISO 0 A.11.5.6 Access ISO27002 A.11.5.6 Limitation of
control A.11.5.6 connection time
ISO ISO 0 A.11.6.1 Access ISO27002 A.11.6.1 Information
control A.11.6.1 access restriction
ISO ISO 0 A.11.6.2 Access ISO27002 A.11.6.2 Sensitive
control A.11.6.2 system isolation
ISO ISO 0 A.11.7.1 Access ISO27002 A.11.7.1 Mobile
control A.11.7.1 computing and
communications
ISO ISO 0 A.11.7.2 Access ISO27002 A.11.7.2 Teleworking
control A.11.7.2
ISO ISO 0 A.12.1.1 Information ISO27002 A.12.1.1 Security
systems A.12.1.1 requirements analysis
acquisition, and specification
development
and
maintenance
ISO ISO 0 A.12.2.1 Information ISO27002 A.12.2.1 Input data
systems A.12.2.1 validation
acquisition,
development
and
maintenance
ISO ISO 0 A.12.2.2 Information ISO27002 A.12.2.2 Control of
systems A.12.2.2 internal processing
acquisition,
development
and
maintenance
ISO ISO 0 A.12.2.3 Information ISO27002 A.12.2.3 Message
systems A.12.2.3 integrity
acquisition,
development
and
maintenance
ISO ISO 0 A.12.2.4 Information ISO27002 A.12.2.4 Output data
systems A.12.2.4 validation
acquisition,
development
and
maintenance
ISO ISO 0 A.12.3.1 Information ISO27002 A.12.3.1 Policy on the
systems A.12.3.1 use of cryptographic
acquisition, controls
development
and
maintenance
ISO ISO 0 A.12.3.2 Information ISO27002 A.12.3.2 Key
systems A.12.3.2 management
acquisition,
development
and
maintenance
systems A.12.4.1 operational software
acquisition,
development
and
maintenance
ISO ISO 0 A.12.4.2 Information ISO27002 A.12.4.2 Protection of
systems A.12.4.2 system test data
acquisition,
development
and
maintenance
ISO ISO 0 A.12.4.3 Information ISO27002 A.12.4.3 Access
systems A.12.4.3 control to program
acquisition, source code
development
and
maintenance
ISO ISO 0 A.12.5.1 Information ISO27002 A.12.5.1 Change
systems A.12.5.1 control procedures
acquisition,
development
and
maintenance
ISO ISO 0 A.12.5.2 Information ISO27002 A.12.5.2 Technical
systems A.12.5.2 review of applications
acquisition, after operating system
development changes
and
maintenance
ISO ISO 0 A.12.5.3 Information ISO27002 A.12.5.3 Restrictions
systems A.12.5.3 on changes to
acquisition, software packages
development
and
maintenance
ISO ISO 0 A.12.5.4 Information ISO27002 A.12.5.4 Information
systems A.12.5.4 leakage
acquisition,
development
and
maintenance
ISO ISO 0 A.12.5.5 Information ISO27002 A.12.5.5 Outsourced
systems A.12.5.5 software development
acquisition,
development
and
maintenance
systems A.12.6.1 technical
acquisition, vulnerabilities
development
and
maintenance
ISO ISO 0 A.13.1.1 Information ISO27002 A.13.1.1 Reporting
security A.13.1.1 information security
incident events
management
ISO ISO 0 A.13.1.2 Information ISO27002 A.13.1.2 Reporting
security A.13.1.2 security weaknesses
incident
management
ISO ISO 0 A.13.2.1 Information ISO27002 A.13.2.1
security A.13.2.1 Responsibilities and
incident procedures
management
ISO ISO 0 A.13.2.2 Information ISO27002 A.13.2.2 Learning from
security A.13.2.2 information security
incident incidents
management
ISO ISO 0 A.13.2.3 Information ISO27002 A.13.2.3 Collection of
security A.13.2.3 evidence
incident
management
ISO ISO 0 A.14.1.1 Business ISO27002 A.14.1.1 Including
continuity A.14.1.1 information security in
management the business
continuity
management process
ISO ISO 0 A.14.1.2 Business ISO27002 A.14.1.2 Business

continuity A.14.1.2 continuity and risk
management assessment
ISO ISO 0 A.14.1.3 Business ISO27002 A.14.1.3 Developing
continuity A.14.1.3 and implementing
management continuity plans
including information
security
ISO ISO 0 A.14.1.4 Business ISO27002 A.14.1.4 Business
continuity A.14.1.4 continuity planning
management framework
ISO ISO 0 A.14.1.5 Business ISO27002 A.14.1.5 Testing,
continuity A.14.1.5 maintaining and re-
management assessing business
continuity plans
ISO ISO 0 A.15.1.1 Compliance ISO27002 A.15.1.1 Identification
A.15.1.1 of applicable
legislation
ISO ISO 0 A.15.1.2 Compliance ISO27002 A.15.1.2 Intellectual
A.15.1.2 property rights (IPR)
ISO ISO 0 A.15.1.3 Compliance ISO27002 A.15.1.3 Protection of
A.15.1.3 organizational records
ISO ISO 0 A.15.1.4 Compliance ISO27002 A.15.1.4 Data
A.15.1.4 protection and privacy
or personal
information
ISO ISO 0 A.15.1.5 Compliance ISO27002 A.15.1.5 Prevention of
A.15.1.5 misuse of information
processing facilities
ISO ISO 0 A.15.1.6 Compliance ISO27002 A.15.1.6 Regulation of
A.15.1.6 cryptographic
ISO ISO 0 A.15.2.1 Compliance ISO27002 controls Compliance
A.15.2.1
A.15.2.1 with security policies
and standards
ISO ISO 0 A.15.2.2 Compliance ISO27002 A.15.2.2 Technical
A.15.2.2 compliance checking
ISO ISO 0 A.15.3.1 Compliance ISO27002 A.15.3.1 Information

A.15.3.1 systems audit
ISO ISO 0 A.15.3.2 Compliance ISO27002 controls Protection of
A.15.3.2
A.15.3.2 information systems
audit tools
Control Group Group # Group Count Group Short
6= Cloud Service Integration Future Future Future
5= SaaS Future Future Future
4= PaaS Future Future Future
3= Multi tenancy 3 5 MULTI
2= Outsourcing 2 38 OUTS
1= Availability 1 7 AVAIL
0= ISO27002 0 133 ISO27002
183
Mapping:
National Cyber
Security Centrum
Mapping: 27017 -
Control Mapping: CSA
(draft) beveiligingsrichtl
ijnen voor web
applicaties
(Dutch)
Cloud provider will ensure enough capacity is available, taking peaks in 11.4.1
usage and multi tenancy into account.
Acceptable use with regard to other customers: A customer acceptable IS-26
use policy will be defined. Prohibited activities in the customer
acceptable use policy include illegal activities and activities that threaten
the performance of other customers. Immediate action is taken when
cloud provider becomes aware acceptable use policy is contravened.
Isolation failure risk in virtualization technology and storage is frequently IS-34
reviewed and is managed to a minimum.
It is possible to completely separate the environments of a single 11.5.3

customer on the network level, sniffing and ip spoofing should be
impossible. It should be possible to firewall the customer environment.
Subpoena of other customer: In a subpoena situation the cloud provider
commits to make a commercially reasonable effort to resist within the
limits of applicable law any confiscation of hardware or data from
customers that are not subpoenaed. Procedures are in place allowing the
safe extraction of customer assets upon subpoena.
All terms of business are clearly described and communicated. SLAs 11.1.3, 14.2.8 IS-31
between the client and the service organization clearly describe the
scope of the stack and application of the SLA.
The risk f the provider changing the SLA, Terms of Business or the rest
of the agreement against the customers' whishes is mitigated.
Short term contracts are used, customer virtual assets are exportable 11.5.3
and transportable in an industry-accepted format. Sufficient access to
the environment or data will be granted in order to implement migration.
Provider should provide information on request regarding the potential 16.1.1
for: law enforcement driven confiscation, provider termination, vendor
lock-in, change in ownership, financial instability.
Procedures regarding the fulfillment of SLA agreements are defined,
implemented and will be internally communicated. Upon a change in
policies or SLA fulfillment which negatively affect the compliance with
the SLA, the clients are promptly informed. The cloud provider will get a
reasonable period to bring the SLA delivery back into compliance. If the
SLA delivery is not brought back in compliance a compensation is
offered to the affected clients. If compliance with the SLA can not be
achieved because of a change of law the relevant points of non-
compliance will be deemed permissible.
A robust committed uptime breach remedy and compensation system is
in place. Availability is defined as pingable from outside the network.
Key product components being unavailable also implies a service is
down. Scheduled downtime is reported in advance. Force majeure
excludes a single supplier failing to provide service.
Cloud provider should communicate audit policy, controls and results. 7.1.2, 17.3.1, 10.3.1
Reports should not include information which might lead to compromise.
If an audit reveals the provider is not in compliance with the standards it
is committed to, the relevant customers are informed. The cloud provider
will get a reasonable period to bring the standard back in compliance. If
the standard is not brought back into compliance customers should be
compensated. If a change in the law makes it impossible to get back into
compliance the relevant point of non-compliance will be deemed
permissible.
The customer is informed of extreme provisioning requests. Extreme
provisioning requests made by mistake or by malicious insiders of the
client organization (Economic Denial of Service or EDOS) can be revoked
if noticed within a reasonable timeframe. It is possible to cap cost by
agreement.
An arrangement should be in place ensuring access to data and assets
in case the service organization would unexpectedly seize its activities.
No frivolous canceling of customer contracts: The cloud provider may

only cancel a customer contract on short notice if required by law, the
services are not paid for or breaches of the fair use policy are ignored.
The customer is warned ahead of time if possible and there is a
procedure that needs to be followed in these circumstances.
The cloud provider may only suspend a customers' service when it is
forced to. The cloud provider may only willingly interrupt the service if
required by law, services are not paid for, a breach of the fair use policy
is not remedied or the services or other customers are threatened. The
customer is warned ahead of time if possible and there is a procedure
that needs to be followed in these circumstances.
Customer can determine jurisdiction where data is stored. It should be 11.7.2, 17.1.4
communicated which governments and jurisdictions can lay claim to a
customers' data, also in situations where the data is transferred from one
part of the provider network to another.
There should be a policy for retaining evidence and information on this 15.1.7, 11.7.2,
policy should be provided. Automated collection of evidence is 9.2.7
implemented. Data chain of custody is maintained. Virtual assets also
have chain of
Supporting custody.investigations: Cloud provider will cooperate in
customer 9.1.2
any incident investigation by the customer including the handing over of
relevant logs (subject to privacy commitments).
All relevant contracts, NDA requirements and law should be reviewed LG-01
periodically.
Cloud provider should communicate legislation relevant to the service6.1.4, 17.1.1, 17.1.3, 17.1.6
that could impact the services of the customer. Cloud provider should
also provide details on supervisory authority, court of jurisdiction and
contact details. Customer shall be informed about jurisdiction of
transport within the provider network.
Customer data always remains owned by the customer. Provider should 17.1.2
communicate intellectual property rights that it claims.
Cloud provider commits to make a commercially reasonable effort to 6.1.4
resist any cease and desist or subpoena procedure if the customer so
requires within the limits of applicable law. If informing the customer of a
legal request or demand is not allowed cloud provider will assume client
would want to resist such request.
A privacy policy is developed, formally communicated and audited. 6.1.3, 7.1.2 SA-07
Robust NDA clauses are added to the terms describing the
confidentiality of all customer data. Policy regarding customer data
separation will be communicated and audited, the results of the audits
will also be communicated.
Cloud provider personnel access rights and operator logs relating to the 11.8.3, 13.2.2
customers' environment should be made available on the customers
request. Cloud provider can be blocked from environment (exception for
legal requirements).
A policy relating to the removal of data from cancelled products and to BO-13
dormant virtual machines and snapshots is developed and implemented.
The expected level of performance, level of redundancy and expected 10.3.1, 11.3.1, DG-04
recovery times at every level of the processing layer, data storage, the 11.5.1, 16.1.1,
internal network and the transit connections are described. A backup 11.1.3
policy is established and communicated. Datacenter locations should be
communicated, datacenter security, resilience and recovery policies
should be available.
The resiliency management program will be communicated. Disaster 16.1.3
recovery plans and availability enhancing measures should be shared
with customers when relevant.
Procedures should be established and implemented regarding the 11.1.2, 14.2.2,
provisioning of information on changes to the information system. Cloud 14.2.3, 14.1.1
provider should communicate its controls for the procurement of new
information systems and enhancements. Provider will endeavor to keep
existing technologies used by customers available.
Provider management should ensure that security status and 15.1.1, 15.1.2, 15.1.3
requirements can be communicated to customers. Customers should be
informed about security policy changes with material impact.
Security weaknesses and their mitigation are audited. Reports should 15.1.3, 11.2.1, 13.4.4
not include information which might lead to compromise.
Provider should develop and disclose policy with respect to conflicting 14.4.1
roles, and address specific conflicting roles in the auditing process.
Customers should be made aware of their responsibilities regarding 8.2.1
incident management and a procedure for customer imput is in place.
Cloud provider should provide the possibility for vulnerability 8.2.1, 5.1.2, 10.2.2, 8.2.1, 5.1.2
assessment by customers and provide information on the policy
regarding vulnerability assessment.
A policy is available to inform customers in the case of a breach of 10.3.1, 11.8.4 IS-27
privacy, a security breach or technical failure that could affect the
customer. Fault logs policy should be communicated and logs made
available to customers.
Detailed reporting on SLA performance, used and billable resources. 11.1.3 IS-27
There is a procedure to communicate with customers in the case of

maintenance and outages. Maintenance will be planned in order to
minimize customer impact.
Outage reporting: If service was interrupted or degraded a detailed report

will be provided on the reason and mitigation measures if relevant.
Cloud provider should provide user manuals pertaining to the relevant 11.1.1, 11.9.1,
services the provider offers. 11.10.1
Public facing web applications and API's related to the cloud service are 12.1.1, 12.1.2 BO-13, B3-5, B3-
secured. Connections are made on the basis of strong passwords and 11, B3-14, B3-15,
encrypted connections. B3-16, B5-2, B5-4,
B7-1
Sensitive customer data is encrypted. Measures are implemented to

prevent storage and visibility of sensitive financial information.
Customer management interfaces have a role based access model with 7.1.2, 13.1.1, IS-09
individual access only, logging and extra checks in the case of data 13.2.1, 13.2.3,
destruction. It should be possible for the authorized customer to change 13.4.1, 13.4.2,
access rights to the customer management interface. Information should 13.2.2, 13.2.4,
be provided on management interface access procedures so the 8.3.3
customer can develop its own policies. On client contract termination, all
access rights are revoked directly after the contract end date.
Reductions in access are implemented immediately and across all
applications the customer can access. Information on the use of
customer access rights will be provided on demand.
Availability measures for the management interface should be in place.
Requests from customer personnel are only executed if that person has IS-26
been authorized based on his service portfolio and SLA.
There is sufficient access to support and spare parts with respect to

externally acquired software and hardware.
Provider data and core systems: Core provider systems are redundant. A BO-11
multiple location storage and backup policy for system management
data is developed and implemented. Reporting or mitigation mechanisms
are in place upon lack of backups or backup-failure.
Site redundancy: Failure of one physical site will not result in other sites B1-6
failing. An alternate processing site is available for core IT functions.
Risk to single employees is minimised. Skills are not unique and
knowledge is documented.
The datacenter environment is controlled with power and air control
systems set up redundantly.
The network should be set up redundantly with multile transit gateways. B1-5
Measures to divert, mitigate or stop Distributed Denial of Service attacks
are implemented. DNS setup is redundant and secured.
All components and procedures are documented and this documentation BO-4
is kept up to date
ISO/IEC COPYRIGHT IS-03, IS-04, IS-01 BO-1, BO-3
ISO/IEC COPYRIGHT IS-05 BO-1, BO-2
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT B7-9
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT CO-04
ISO/IEC COPYRIGHT IS-12
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT IS-08, SA-01
ISO/IEC COPYRIGHT HR-02, LG-02
ISO/IEC COPYRIGHT FS-08
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT OP-02, IS-26
ISO/IEC COPYRIGHT DG-02, CO-05,

DG-07
ISO/IEC COPYRIGHT DG-03
ISO/IEC COPYRIGHT HR-01
ISO/IEC COPYRIGHT 8.1.2 HR-02
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT IS-11, IS-16

ISO/IEC COPYRIGHT 8.2.5 IS-06
ISO/IEC COPYRIGHT 8.3.1 HR-03
ISO/IEC COPYRIGHT FS-04, FS-02
ISO/IEC COPYRIGHT RS-05
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT OP-01
ISO/IEC COPYRIGHT SA-06

ISO/IEC COPYRIGHT 10.2.1 CO-03 BO-14
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT RM-02
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT SA-08, SA-10
ISO/IEC COPYRIGHT 10.6.2
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT

ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT SA-14 B7-5, B7-6
ISO/IEC COPYRIGHT SA-14 B7-2
ISO/IEC COPYRIGHT 11.8.2 IS-29 B7-7, B7-8
ISO/IEC COPYRIGHT IS-07 BO-12, B4-1
ISO/IEC COPYRIGHT IS-08, SA-01 B4-1
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT 10.1.1
ISO/IEC COPYRIGHT SA-09, SA-08 B1-1, B1-2, B1-3,

B2-1
ISO/IEC COPYRIGHT 10.1.1 SA-11
ISO/IEC COPYRIGHT SA-09 B7-1, B2-4

ISO/IEC COPYRIGHT IS-34, RM-05
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT SA-04 B3-1, B3-2, B3-3,

B3-6, B3-7, B3-12
ISO/IEC COPYRIGHT SA-04, SA-05
ISO/IEC COPYRIGHT SA-04 B3-4, B3-8, B3-9,

B3-10
ISO/IEC COPYRIGHT IS-18 B5-2
ISO/IEC COPYRIGHT IS-19 B5-1, B5-6, B5-7
ISO/IEC COPYRIGHT BO-5, B2-2, B2-3,

B3-13

ISO/IEC COPYRIGHT BO-6
ISO/IEC COPYRIGHT BO-6
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT RM-04, SA-04
ISO/IEC COPYRIGHT IS-20 BO-7
ISO/IEC COPYRIGHT RS-01, RI-01, RI-

03, RI-04
ISO/IEC COPYRIGHT RI-02, DG-08, RS-

02, RI-05
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT
ISO/IEC COPYRIGHT BO-8, BO9, BO-

10

Remark / Specification
Attacks that target the virtual

infrastructure (Shimming, Blue Pill,
Hyper jacking, etc.) shall be identified
and remediated with technical and
procedural controls.
Additional requirements ISO27017:

Clear information regarding
environment capacity, performance,
upgrade time, max performance, trial
use specifications and the requirements
regarding business continuity and
disaster recovery is provided. Payment
terms are clearly described.
Compensation implementation:
customers will get the opportunity to
migrate and will receive their product
for free for a reasonable period in order
to facilitate the migration.
Gaat over SLA maar moet in Terms

Compensation implementation:
customers will get the opportunity to
migrate and will receive their product
for free for a reasonable period in order
to facilitate the migration.
Moeten we nog over denken
Virtual asset chain of custody

ISO27017: VM migrations are logged
and secured.
Cloud provider technologies that could

cause a legal problem for customers in
the jurisdictions the data of the
customer is stored are evaluated and
communicated.
Communicating relevant legislation
includes that ISO27017: Provider should
be able to provide legal and regulatory
information regarding the country the
services are provided from. Provider
should disclose policies regarding
important records that the provider has
to keep. Cloud provider should confirm
if cryptographic technologies complies
with local law.
NDA clauses: Cloud provider will not

look for, analyze or store customer data
when it is not needed for technical
reasons. Customer data is destroyed on
request. Gedeeltelijk in New Information Commitment Sectie
Deprovisioning of services includes

complete destruction of all data
preceded by a period of data retention.
Backup policy in SLA

" Provider will endeavor to keep existing technologies used by customers available." in gewone ToB
Customers should report incidents and
relevant vulnerabilities to the provider.
Details on audit ISO27017: Utility
programs that can override controls
and the measures that control them will
be audited. Measures against malware
will be audited.
Information included ISO27017: the

relevant encryption used and
information on mobile interaction with
cloud provider.
Secured' includes: Public facing web
applications are protected by IDS and
an application-level firewall. Measures
are taken against vulnerabilities in the
application logic: only parameterised
queries are used, comments in de code
are minimised, cookie use is secure,
code reviews and regular black box
scans are conducted. Unused public
facing functionality should be removed.
Sensitive data includes: Tracks,
magnetic stripe data, PIN, PAN, CCV,
Credit card-numbers).
Information on the use of customer access rights will be provided on demand.

Further specification: The management
interface is not dependent on a single
physical site.
Terms and conditions of employment
relating to confidentiality and security
should meet or exceed the terms and
conditions of the cloud service.
Additional requirements CSA:
Implementation of security and other
risk reducing polices is a formal part of
employee assessment. ISO27017: Cloud
provider should communicate employee
disciplinary policies to its customers as
they relate to security.
Additional requirements ISO27017: In
case of termination a changing point of
contact should be communicated.
Information regarding termination
procedures is communicated to
customers where relevant.
Protection of logs should be audited
Additional requirements NCSC: A DMZ

is implemented, separating
management and customer traffic. No
physical bypasses around security
measures are allowed.
Additional requirements NCSC: A

network-IDS is implemented.
Key systems will require multi factor
authentication.
Additional requirements NCSC:
Environments should be hardened.
Security templates are being used.
Additional requirements CSA: Cloud
provider shall develop and maintain an
enterprise risk management framework
to manage risk to an acceptable level.
Acceptance levels are described in
accordance with reasonable time
frames and executive approval. Risk
assessment results shall include
updates to security policies,
procedures, standards and controls.
Additional requirements NCSC:
Penetration tests are performed
periodically (internal and external)
ustomers available." in gewone ToB

Cloud Controls and ISO 27017 List

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Controls and ISO 27017 List

Uploaded by

Copyright:

Available Formats

Cloud Controls and ISO 27017 List

CC Multi 3 1 Multi Tenancy CC-MULTI-01 Cloud provider

CC Multi 3 3 Multi Tenancy CC-MULTI-03 Isolation failure risk

CC Multi 3 4 Multi Tenancy CC-MULTI-04 Network segregation

CC Multi 3 5 Multi Tenancy CC-MULTI-05 Control over hardware

CC Outsourcing 2 1 Management CC-OUTS-01 Clear agreements

CC Outsourcing Management CC-OUTS-39 Changes to

CC Outsourcing 2 5 Management CC-OUTS-05 Breach of uptime

CC Outsourcing 2 7 Management CC-OUTS-07 Extreme provisioning

CC Outsourcing 2 8 Management CC-OUTS-08 Control over assets at

CC Outsourcing 2 10 Management CC-OUTS-10 Control over

CC Outsourcing 2 11 Legal Process CC-OUTS-11 Data location and

CC Outsourcing 2 12 Legal Process CC-OUTS-12 Evidence collection

CC Outsourcing 2 13 Legal Process CC-OUTS-13 Customer

CC Outsourcing 2 14 Legal Process CC-OUTS-14 Review of agreements

CC Outsourcing 2 15 Legal Process CC-OUTS-15 Disclosure of relevant

CC Outsourcing 2 16 Legal Process CC-OUTS-16 Secure data

CC Outsourcing 2 18 Privacy and CC-OUTS-18 Privacy policy

CC Outsourcing 2 19 Privacy and CC-OUTS-19 Access of cloud

CC Outsourcing 2 20 Privacy and CC-OUTS-20 Data retention policy

CC Outsourcing 2 24 Security CC-OUTS-24 Information on

CC Outsourcing 2 26 Security CC-OUTS-26 Conflicting roles

CC Outsourcing 2 29 Operational CC-OUTS-29 Information on

CC Outsourcing 2 30 Operational CC-OUTS-30 Information regarding

CC Outsourcing 2 34 Connecting to CC-OUTS-34 Management Interface

CC Outsourcing 2 35 Connecting to CC-OUTS-35 Customer payment

CC Outsourcing 2 36 Connecting to CC-OUTS-36 Management interface

CC Outsourcing 2 37 Connecting to CC-OUTS-37 Management Interface

CC Outsourcing 2 38 Connecting to CC-OUTS-38 Customer personnel

Availability Availability 1 1 Availability CC-AVAIL-01 Availability

Availability Availability 1 2 Availability CC-AVAIL-02 Availability

Availability Availability 1 3 Availability CC-AVAIL-03 Availability

Availability Availability 1 5 Availability CC-AVAIL-05 Availability

Availability Availability 1 6 Availability CC-AVAIL-06 Availability

Availability Availability 1 7 Availability CC-AVAIL-07 Availability

ISO ISO 0 A.5.1.1 Security ISO27002 A.5.1.1 Information

ISO ISO 0 A.8.2.1 Human ISO27002 A.8.2.1 Management

ISO ISO 0 A.8.3.1 Human ISO27002 A.8.3.1 Termination

ISO ISO 0 A.8.3.2 Human ISO27002 A.8.3.2 Return of

ISO ISO 0 A.11.4.6 Access ISO27002 A.11.4.6 Network

ISO ISO 0 A.14.1.2 Business ISO27002 A.14.1.2 Business

ISO ISO 0 A.15.3.1 Compliance ISO27002 A.15.3.1 Information

It is possible to completely separate the environments of a single 11.5.3

No frivolous canceling of customer contracts: The cloud provider may

There is a procedure to communicate with customers in the case of

Outage reporting: If service was interrupted or degraded a detailed report

Sensitive customer data is encrypted. Measures are implemented to

There is sufficient access to support and spare parts with respect to

ISO/IEC COPYRIGHT IS-03, IS-04, IS-01 BO-1, BO-3

ISO/IEC COPYRIGHT IS-05 BO-1, BO-2

ISO/IEC COPYRIGHT B7-9

ISO/IEC COPYRIGHT B7-9

ISO/IEC COPYRIGHT CO-04

ISO/IEC COPYRIGHT IS-12

ISO/IEC COPYRIGHT CO-02

ISO/IEC COPYRIGHT IS-08, SA-01

ISO/IEC COPYRIGHT HR-02, LG-02

ISO/IEC COPYRIGHT FS-08

ISO/IEC COPYRIGHT OP-02, IS-26

ISO/IEC COPYRIGHT DG-02, CO-05,

ISO/IEC COPYRIGHT IS-13

ISO/IEC COPYRIGHT HR-01

ISO/IEC COPYRIGHT 8.1.2 HR-02