Nov 22 2024

Significance of ISO 27017 and ISO 27018 for Cloud Services

Category: Cloud computingdisc7 @ 9:26 am

ISO 27017 and ISO 27018 are critical standards for enhancing information security, specifically in cloud environments.

  • ISO 27017: This standard provides guidelines for information security controls in cloud services. It extends the general ISO 27001 framework to address cloud-specific risks, such as shared resources, multi-tenancy, and data location. It offers recommendations for both cloud service providers (CSPs) and customers to ensure the security of cloud infrastructure, operations, and data. Key areas include responsibilities of CSPs, customer monitoring, and cloud-specific risk management.
  • ISO 27018: This standard focuses on protecting Personally Identifiable Information (PII) in cloud computing environments. It ensures CSPs comply with privacy laws and practices by offering controls specifically tailored for PII processing. These include requirements for data access, consent management, incident notification, and restricting data usage for marketing without explicit approval. It promotes trust by addressing privacy in a structured and transparent way.

Together, these standards build confidence in cloud adoption by mitigating risks associated with data security and privacy in shared digital ecosystems. They are particularly valuable for organizations handling sensitive data, such as financial institutions and healthcare providers.

  • Cloud Security Toolkit – Start the journey to ISO 27017 and ISO 27018 compliance for Cloud services security with customizable templates, documents, policies and records.
  • Designed to integrate with our ISO 27001 DocumentKits toolkit to ensure you have complete control over the security of your Cloud services.
  • Get professional guidance and become an expert in securing your Cloud services, putting you fully in control of managing your information security.
  • Guarantee full coverage of ISO 27017 and ISO 27018 with comprehensive documentation covering topics including backup and restoration, compliance checking, information security planning and risk assessments.
  • Reduce your implementation costs and time spent generating your documentation.
  • Get compliant and stay compliant with more than 500 free annual updates.
  • Benefit from using the world’s only fully Cloud-based toolkit platform, making collaboration and accessibility easier than ever.
  • This is an annual subscription product, however, you can cancel at any time. (T&Cs apply)

Previous posts on cloud computing

3 ISO 27001:2022 Controls That Help Secure Your Cloud Services

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: cloud services, CSP, iso 27017, ISO 27018


Nov 20 2024

3 ISO 27001:2022 Controls That Help Secure Your Cloud Services

Category: Cloud computing,Information Security,ISO 27kdisc7 @ 12:52 pm

The article highlights three critical controls from ISO 27001:2022 to enhance cloud security, providing organizations with guidance on how to protect sensitive data stored in the cloud effectively:

  1. Contractual Assurance: Control 5.10 emphasizes acceptable use and handling of information, particularly third-party assets like cloud services. It stresses the importance of establishing contractual agreements with cloud providers to ensure data security. Organizations should verify providers’ compliance with standards like ISO 27001 or other independent certifications, check for business continuity guarantees, and ensure compliance with regulations like GDPR or PCI DSS where applicable.
  2. Cloud-Specific Policies: Control 5.23 introduces the need for processes and policies tailored to cloud services. These should cover the acquisition, use, management, and exit strategies for cloud services. Organizations are advised to define security requirements and clarify roles, responsibilities, and controls between the organization and the provider. Policies should also include handling incidents and outlining exit procedures to maintain security throughout the service lifecycle.
  3. Extending ISMS: While ISO 27001:2022 offers foundational controls, organizations can enhance their information security management system by adopting supplementary standards like ISO 27017 (focused on cloud-specific controls) and ISO 27018 (privacy in cloud services). However, these extensions currently align with the older ISO 27001:2013 Annex A, necessitating careful integration with updated frameworks.

These controls underscore the importance of robust policies, contractual due diligence, and clear delineation of responsibilities to secure cloud environments effectively. More details can be found here.

The Risk Assessment Process and the tool that supports it

What is the significance of ISO 27001 certification for your business?

ISO 27k Chat bot

Pragmatic ISO 27001 Risk Assessments

ISO/IEC 27001:2022 – Mastering Risk Assessment and the Statement of Applicability

Risk Register Templates: Asset and risk register template system for cybersecurity and information security management suitable for ISO 27001 and NIST

ISO 27001 implementation ISO 27002 ISO 27701 ISO 27017 ISO27k

How to Address AI Security Risks With ISO 27001

How to Conduct an ISO 27001 Internal Audit

4 Benefits of ISO 27001 Certification

How to Check If a Company Is ISO 27001 Certified

How to Implement ISO 27001: A 9-Step Guide

ISO 27001 Standard, Risk Assessment and Gap Assessment

ISO 27001 standards and training

What is ISO 27002:2022

Previous posts on ISO 27k

ISO 27001/2 latest titles

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud services, ISO 27001 2022


Aug 06 2021

For Hackers, APIs are Low-Hanging Fruit

Category: Cloud computingDISC @ 12:18 pm

By 2022, API abuses will become the most frequent attack vector, predicts Gartner. We’re already witnessing new API exploits reach the headlines on a near-daily basis. Most infamous was the Equifax breach, an attack that exposed 147 million accounts in 2017. Since then, many more API breaches and major vulnerabilities have been detected at Experian, Geico, Facebook, Peleton and other organizations.

So, why are API attacks suddenly becoming so prevalent? Well, several factors are contributing to the rise in API exploits. As I’ve covered before, the use of RESTful web APIs is becoming more widespread through digital transformation initiatives and SaaS productization. And, the data these touchpoints transmit can carry a hefty price tag. Unfortunately, cybersecurity has not sufficiently progressed, making APIs ripe for the hacker’s picking.

I recently met with Roey Eliyahu, CEO of Salt Security, to better understand why more and more APIs hacks are making headlines. According to Eliyahu, a general lack of security awareness means these integration points are a low-effort, high-reward attack target. Establishing protection against zero-day threats means increasing the visibility of API holdings, testing for broken authorization and instigating ongoing monitoring of runtime environments.

Below, I’ll review the top factors contributing to the rise in API exploits. We’ll explore some of the top reasons why API attacks are increasing and consider how a zero-day protection mindset can mitigate common API vulnerabilities.

Six Reasons API Attacks Are Increasing

API Security in Action

Tags: API security risks, cloud services


Jan 22 2010

How to manage risk in the cloud

Category: Cloud computingDISC @ 3:06 am

What is Cloud Computing and does it provide more protection to your business?

  • Pre-order the Softcover;

  • Pre-order the eBook.
  • Cloud Computing will bring many benefits to organisations, some of which include reducing operating costs, reducing power consumption and freeing you up to focus on your core business.
    The concept of shifting computing to a shared service provider is not new. What may be new is that the cost of Cloud Computing is falling so dramatically that considering outsourcing to the Cloud is no longer rare, and it is now accessible enough that any individual or organisation can use it to their advantage.

    Above the Clouds: Managing Risk in the World of Cloud Computing
    For Cloud Computing to be a viable option, you need to be confident that your business information will be secure and that the service you offer to your customers will still be reliable. So if you want to adopt a Cloud Computing strategy, you need to make sure you carry out due diligence on the service provider before you entrust this firm with your vital data. However, the author challenges the assumption that Cloud Computing will offer less protection to your data than relying on an in-house server. Buy Now!>

    Cloud Computing not only allows you to make economies of scale; it can also offer you the increased security that comes from sharing the resource. The author argues that moving over to Cloud Computing can actually help to defend your organisation from threats such as denial of service attacks, viruses and worms.

    Cloud service providers will tell you that Cloud Computing is bound to be better, faster and cheaper. The reality is that before switching over to Cloud Computing, you need to think carefully about whether it will really work for your business. This book shows you what you need to do to ensure that with Cloud Computing you will continue to give the standard of service your customers require. It also offers you some valuable tips on how to choose your provider of Cloud services.

    Published date: 9th February 2010.

    Pre-order this book using Voucher Code: “cloud2010” to save 10%!

  • Pre-order the Softcover;

  • Pre-order the eBook.



  • Tags: Business, cloud, Cloud computing, cloud computing benefits, cloud computing concerns, cloud computing risks, cloud computing security, cloud security, cloud services, cloudcomputing, Computer Science, Denial-of-service attack, Distributed Computing, due diligence, Economy of scale, Outsourcing, Security


    Sep 10 2009

    Way beyond the edge and de-perimeterization

    Category: Cloud computing,Information SecurityDISC @ 2:59 pm

    Wie eine Firewall arbeitet / how a firewall works
    Image by pittigliani2005 via Flickr

    De-perimeterization term has been around almost for a decade and finally industry is taking it seriously because of virtualization and cloud computing popularity. Is it time for businesses to emabrace de-perimeterization?

    De-perimeterization is a double edge sword for industry which creates scalable options for operation and huge challenges for safeguarding the assets beyond the edge. One of the major advantages for de-perimeterization is that user can access corporate information over the internet; in this situation user can access corporate data from any where, it’s hard to draw the line where the edge begins and where it ends. All you basically need a functional laptop with internet connection. On the other hand, de- perimeterization poses a great challenge due to possibility of viruses, spywares and worms spreading in your internal protected infrastructure.

    In de-perimeterized environment, security attributes shall follow the data, wherever the data may go or reside.

    In security architecture where firewall was considered a very effective perimeter defense has been weakens by virtualization and cloud computing. In early days of firewall defense, organization only needed to open few necessary protocols and ports to do business. Internet accessible systems were located on the DMZ and the communication was initiated from the corporate to internet. Now there are whole slew of protocols and ports which needs to be open to communicate with application in the cloud. As corporate application move out of the organization network into the cloud, the effectiveness of firewall diminished.

    Defense in depth is required for additional protection of data because as new threats emerge, the firewall cannot be used as an only layer of security. The key to the security of de-perimeterization is to push security at each layer of infrastructure including application and data. Data is protected at every layer to ensure the confidentiality, integrity and availability (CIA). Various techniques can be utilized for safeguarding data including data level authentication. The idea of data level authentication is that data is encrypted with specific privileges, when the data move, those privileges are moved with the data.

    layered-defense

    Endpoint security is relevant in today’s business environment especially for laptop and mobile devices. Agents on laptops and mobile devices utilized pull/push techniques to enforce relevant security policies. Different policies are applied depending on the location of the laptop. Where security policy will ensure which resources are available and what data need to be encrypted depending on the location of the device.

    When corporate application and important data reside in the cloud, SLA should be written to protect the availability of the application and confidentiality of the data. Organizations should do their own business continuity planning so they are not totally dependent on the cloud service provider. For example backup your important data or utilize remote backup services where all data stored is encrypted.


    Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance


    Download a free guide for following cloud computing applications

    Hosted email solution
    Hosted email archiving
    Hosted web monitoring
    Hosted online backup


    Reblog this post [with Zemanta]




    Tags: business continuity, Cloud computing, cloud computing article, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing security, cloud computing services, cloud security, cloud services, de-perimeterizations, DMZ, iso assessment


    Jul 07 2009

    Cloud Computing Pros and Cons

    Category: Cloud computingDISC @ 6:19 pm

    Cloud Application Architectures: Building Applications and Infrastructure in the Cloud

    Cloud computing is the future of the computing, which happens to provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Basic idea behind cloud computing is the accessibility of application and data from any location as long as you are connected to the internet. Cloud computing makes the laptop the most essential tool to get the job done.

    For example Hosted Email (SaaS) Security provides safeguards at the Internet level, eliminating spam and malware before they reach your internal network infrastructure. The hosted email provides centralized security with built-in redundancy, failover, and business continuity, while easing network and security administration. In the hosted email software as a service the security controls are at work at the internet level. It’s about time to expand the corporate perimeter beyond firewall and one of the major benefit of cloud computing is to give organizations capability to implement security controls at internet level and eliminate threats before they reach the internal network.

    An online backup service is another example of software as a service (SaaS) which provides users with an online system for backing up and storing computer files.

    Cloud computing incorporates several different types of computing, including:
     software as a service (SaaS)
     platform as a service (PaaS)
     infrastructure as a service (IaaS)

    It is a range of technologies that have come together to deliver scalable, tailored and virtualized IT resources and applications over the Internet.

    Cloud Computing have several benefits and potential risks which you may want to know before signing a contract with a cloud vendor.



    Cloud Computing benefits

  • Users can avoid capital expenditure on hardware, software, and other peripheral services, when they only pay a provider for those utilities they use;

  • Consumption is billed as a utility or subscription with little or no upfront cost;

  • Immediate access to a broad range of applications, that may otherwise be out of reach, due to:

  • The lowering barriers to entry;

  • Shared infrastructure, and therefore lower costs;

  • Lower management overhead.

  • Users will have the option to terminate a contract at any time, avoiding return on investment risk and uncertainty.

  • Greater flexibility and availability of ‘shared’ information, enabling collaboration from anywhere in the world – with an internet connection.


  • Cloud computing associated risks

  • Cloud computing does not allow users to physically possess the storage of their data which leaves responsibility of data storage and control in the hands of their provider;

  • Cloud Computing could limit the freedom of users and make them dependent on the cloud computing provider;

  • Privileged user access – how do you control who has access to what information?

  • Security of sensitive and personal information lay with the vendor. How do you explain this to your customers when their data is compromised without sounding like you’re ‘passing the buck’?

  • From a business continuity stand point, can you rely on each vendor to have adequate resilience arrangements in place?

  • Long-term viability — ask what will happen to data if the company goes out of business; how will data be returned and in what format?



  • Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

    Recomended books on cloud computing

    Reblog this post [with Zemanta]




    Tags: Cloud computing, cloud computing article, cloud computing benefits, cloud computing concerns, cloud computing email, cloud computing hosting, cloud computing information, cloud computing network, cloud computing platform, cloud computing risks, cloud computing security, cloud computing services, cloud computing solutions, cloud security, cloud services, Infrastructure as a service, Platform as a service