Cloud Service Extensions
Cloud-specific controls extending ISO/IEC 27002.
Information security roles and responsibilities (cloud)
Allocate cloud-specific roles for the cloud customer and cloud service provider, including cloud asset ownership and risk responsibilities.
Contact with authorities (cloud)
Cloud customer should agree procedures for the cloud service provider to contact relevant authorities on its behalf.
Information security awareness, education and training (cloud)
Provide training that addresses cloud-specific security responsibilities of users in both customer and provider organizations.
User registration and de-registration (cloud)
Manage cloud service customer user registration including federation, single sign-on, and removal upon contract termination.
Management of secret authentication information (cloud)
Provide secure mechanisms for managing administrative credentials for cloud services.
Cryptographic controls policy (cloud)
Define which cryptographic controls are used by the cloud service customer and which by the provider.
Key management (cloud)
Define key management responsibilities between cloud customer and provider, including BYOK options.
Change management (cloud)
Cloud service provider must inform cloud service customer of changes that may adversely affect the customer.
Event logging (cloud)
Cloud service provider should provide logging capabilities and access to logs to the cloud service customer.
Segregation in networks (cloud)
Enforce segregation between virtual networks of different cloud service customers.
Addressing security in supplier agreements (cloud)
Cloud customer agreements with cloud providers must address all relevant security requirements.