ISO 27001 For Your Cloud
What is ISO 27001?
According to its documentation, ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”
There are now 114 controls in 14 clauses and 35 control categories; the 2005 standard had 133 controls in 11 groups.
- A.5: Information security policies (2 controls)
- A.6: Organization of information security (7 controls)
- A.7: Human resource security – (6 controls)
- A.8: Asset management (10 controls)
- A.9: Access control (14 controls)
- A.10: Cryptography (2 controls)
- A.11: Physical and environmental security (15 controls)
- A.12: Operations security (14 controls)
- A.13: Communications security (7 controls)
- A.14: System acquisition, development and maintenance (13 controls)
- A.15: Supplier relationships (5 controls)
- A.16: Information security incident management (7 controls)
- A.17: Information security aspects of business continuity management (4 controls)
- A.18: Compliance (8 controls)
Who Does It Apply To?
Any company that has sensitive information can find ISO 27001 useful.
Scope of Regulation
ISO 27001 compliance scope is all encompassing. It provides the methodology for companies to find, understand risks and then define procedures in order to prevent such incidents from happening.
Core Requirements
With the introduction of cloud, complying with ISO 27001 is becoming more complex, placing an additional burden on work force and budget.
CloudOptics ensures that technical controls are in place to facilitate ISO 27001 compliance including AWS ISO 27001, Azure ISO 27001 and GCP ISO 27001 and also establishes proper implementation of user controls.
Organization of Information Security
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
Asset Management
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.
Access Control
Password management systems shall be interactive and shall ensure quality passwords.
Cryptography
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.