ISO/IEC 2701744
ISO/IEC 27017:2015 cloud-specific controls (CLD.*) supplementing ISO/IEC 27002 for cloud customer and provider responsibilities.
Requirements in this framework
- Acceptable use of assets
- Access to networks and network services
- Addressing security within supplier agreements
- Administrator and operator logs
- Administrator's operational security
- Alignment of security management for virtual and physical networks
- Change management
- Classification of information
- Collection of evidence
- Event logging
- Identification of applicable legislation and contractual requirements
- Independent review of information security
- Information access restriction
- Information backup
- Information security awareness, education and training
- Information security policy for supplier relationships
- Information security roles and responsibilities
- Information transfer policies and procedures
- Inventory of assets
- Key management
- Management of privileged access rights
- Management of secret authentication information of users
- Management of technical vulnerabilities
- Mobile device policy
- Monitoring of cloud services
- Network controls
- Policies for information security
- Policy on the use of cryptographic controls
- Protection of records
- Removal of cloud service customer assets
- Reporting information security events
- Responsibilities and procedures
- Review of the policies for information security
- Secure development policy
- Secure disposal or re-use of equipment
- Securing application services on public networks
- Segregation in networks
- Segregation in virtual computing environments
- Shared roles and responsibilities within a cloud computing environment
- Use of privileged utility programs
- Use of secret authentication information
- User access provisioning
- User registration and de-registration
- Virtual machine hardening