Cloud computing is a key tool for business everywhere:
- You get access to easy-to-scale services
- You can extend your IT capabilities
- You benefit from innovations
In short, you gain access to technical services and functions you may not have internally. Particularly for smaller organisations, this brings huge benefits.
For one, you can access your information from anywhere.
The trouble is – how do you restrict that access to authorised users only? Plus, Cloud environments are increasingly complex. This increases your attack surface and makes vulnerabilities more likely.
To protect data in the Cloud, you must take the same kinds of precautions as you would with information held elsewhere. That means implementing appropriate controls.
Which controls, you ask?
ISO 27001, the international standard that describes best practice for an ISMS (information security management system), is a good place to start.
In this blog
Let’s look at three ways ISO 27001:2022 can help protect information stored in the Cloud:
You can also extend your ISO 27001 ISMS with ISO 27017 and ISO 27018, but note that the latest versions (at the time of writing) are still aligned to the 2013 version of ISO 27001, including the old Annex A.
1. Contractual assurance
Control 5.10 of ISO 27001:2022, acceptable use of information and other associated assets, states:
Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
ISO 27002, the companion standard to ISO 27001, clarifies that these assets can belong to a third party, such as a Cloud service provider. You should identify such assets and manage them through a contractual agreement (or similar) with the provider.
Remember that outsourcing to a Cloud provider means sharing data. So, doing your due diligence is important:
- Make sure your contract offers sufficient guarantees of security – preferably through ISO 27001 certification or similar independent assurance.
- Check for business/service continuity guarantees – don’t end up in a CrowdStrike-like situation!
- If you’re dealing with personal data, make sure the contract meets the GDPR requirements.
- If you’re an e-commerce merchant, check you’re meeting the PCI DSS requirements (SAQ A).
This list isn’t exhaustive, but offers a decent starting point.
2. Create a policy for use of Cloud services
One of the controls introduced by the 2022 version of ISO 27001 is 5.23: information security for use of Cloud services. This says:
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.
ISO 27002 suggests defining a policy specific to the use of Cloud services. This should specify selection criteria, and what your security requirements are.
It also lays out specific things to pay attention to in your Cloud service agreements, including:
- Roles and responsibilities;
- Which controls you manage, and which controls the provider manages;
- How to get assurance on the controls the provider implements;
- Procedures for handling security incidents; and
- Exit strategies for the service.
Finding this blog useful? To get notified of future
insights like this, subscribe to our free weekly
newsletter: the Security Spotlight.
3. Access control
The mass migration to the Cloud since the 2020 lockdowns significantly impacted network security. When staff and resources are accessing information remotely, you can’t blindly trust them.
Previously, networks were typically self-contained, on-site setups. You’d naturally trust a device physically connected to a company network. Then, VPNs (virtual private networks) extended network access – fairly securely – to users outside that physical network.
Now, with the Cloud, staff can work from anywhere with an Internet connection. That completely changes the risks, making access control more important than ever.
To stay secure, follow two key principles:
- The principle of least privilege
- The need-to-know principle
In other words, don’t give people more access than they need, and don’t give excessive permissions (e.g. editing rights for something they only need to view).
For example, maybe someone does need access to HR data – but only to certain bits (e.g. just employee records, not payroll data).
Access control and ISO 27001
Unsurprisingly, access control is also an explicit ISO 27001 control. Specifically, control 5.15, access control, says that:
Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
The Standard also includes other controls that touch on the subject, including:
- 5.18: Access rights
- 8.3: Information access restriction
- 8.5: Secure authentication
- 8.11: Data masking
Add a Cloud dimension to your ISMS with ISO 27017
Our two-day Certified ISO 27017 CIS CCS Training Course:
- Builds on your understanding of how to implement and audit an ISMS; and
- Dives into the details of implementing and auditing security controls for systems in the Cloud based on ISO 27017.
Learn a robust and thorough way to implement and audit controls for any Cloud-based components of your ISMS.
We first published a version of this blog in November 2021.