ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > ISO/IEC 27001 and the Cloud

ISO/IEC 27001 and the Cloud

| Published: 8/29/2011 8:26 AM | Permalink | Email this Post | Comments (0)
Charu Pelnekar, CISA, CISM, ACA, AICWA, BCOM, CISSP, CPA, MCSE, QSA
 
The goal of my vol. 4 article is to provide guidance on the planning and decision-making processes associated with ISO/IEC 27001 implementation, including associated costs, project length and implementation steps. ISO/IEC 27001 requires a company to establish, implement and maintain a continuous improvement approach to manage its information security management system (ISMS). ISO/IEC 27001 and its supporting document, ISO/IEC 27002 (ISO/IEC 17799), detail 133 security measures, which are organized into 11 sections and 39 control objectives. The ISMS may be certified compliant with ISO/IEC 27001 by a number of accredited registrars worldwide. Independent assessment necessarily brings some rigor and formality to the implementation process.
 
Domain 4, Compliance and Audit, of the Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing V2.1 provides the following recommendation:
Cloud providers seeking to provide mission critical services should embrace the ISO/IEC 27001 standard for information security management systems. If the provider has not achieved ISO/IEC 27001 certification, they should demonstrate alignment with ISO 27002 practices.
 
The Cloud Security Alliance is issuing an industry call to action to align cloud providers behind the ISO/IEC 27001 certification, to assure that scoping does not omit critical certification criteria.
The content of my article is based on my own experiences with clients and the questions I was asked by cloud service providers and users. My article provides a process framework for IT security implementation and can also assist in determining the status of information security and determining the degree of compliance with security policies, directives and standards necessary.
 
Read Charu Pelnekar’s recent Journal article:
Planning for and Implementing ISO 27001,” ISACA Journal, volume 4, 2011
 
Additionally, the following publications related to cloud computing are available from ISACA:  IT Control Objectives for Cloud Computing:  Controls and Assurance in the Cloud; Cloud Computing Management Audit/Assurance Program; and Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives. In addition, ISACA offers the Cloud Computing Group in the Knowledge Center and further guidance on the Cloud Computing page of the ISACA web site.

Comments

There are no comments yet for this post.
Email