Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you request to download our free implementation guide, we use your name, company name (which is optional) and your email address to email you a link to download the requested document. We may also email you after your download in order to follow up on your interest in our products and services. We will do this based on our legitimate interest in marketing to prospects for our products and services. Your name and email address are stored on our website which is hosted with Digital Ocean. Your personal data is stored for one year after you requested your download, after which it is deleted.

Reveal Menu

In the Cloud no-one can hear your data scream.

 

Cloud computing is undoubtedly one of the most significant shifts in information technology in recent times. The availability of seemingly limitless capacity paired with rich functionality in a greatly accelerated timeframe and at a generally reasonable cost is an attractive formula that is winning converts the world over. Most organizations large and small are now taking advantage of these facilities and the delivery model for IT is changing, with data increasingly held outside the walls of the organization’s internal network.

But data security is seen as a problem. We’ve looked previously at how cloud software providers are embracing ISO27001 but that’s really only part of the story. If you make use of cloud services, you have a responsibility to fulfil your part of the security bargain. And the ISO27001 information security standard can help with that too. Here we outline eight ways in which ISO27001 can help you to make your organization’s use of cloud as secure as possible.

HiRes

1. Information classification

If you don’t know much about the information you have in the first place, then protecting it becomes much more difficult. The ISO27001 standard proposes that you create an information asset register and then classify your data according to legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. You can use whatever classification names you like such as “Confidential” or “Restricted”; the key point is that you know which information is particularly important to your organization and can protect it accordingly, especially when it’s in the cloud. You may even decide to have a policy that restricts which data can be placed into the cloud according to its classification. Either way, classifying your information makes decisions that much easier.

2. Risk assessment

A key part of ISO27001 is the emphasis on identifying, assessing and treating your risks. A risk is something that hasn’t happened yet, but if it did it would have a detrimental impact on your organization. Ok, it’s hard to see into the future, but by at least thinking about what could happen, you start to become much more proactive in putting in place those “just in case” actions. This also applies to how you assess potential cloud suppliers – is there more risk with one than another? What would the impact be if the data you place in the cloud were compromised? What controls do you need the cloud provider to have in place?

3. Compliance with legal and contractual requirements

You may have decided that the cloud is the way to go, but you’re not the only one that has a say in this. You may have legal and contractual obligations that have an impact on what you decide to do. If you breach these obligations, a law suit or even jail time could follow so you’d best know what they are. This is a key aspect of ISO27001 – understanding what it is you are trying to achieve and how much freedom you have to play with.

4. Supplier due diligence

We’ve all done it; encounter a problem, start wondering whether there’s a cloud app for it and before you know what’s happened you’ve entered your credit card information and begun logging data with a company that you hadn’t even heard of ten minutes earlier. How much do you know about them?; where do they keep your data?; what security controls do they have in place?; are they even a real company? These are all questions that may be ignored in the heat of the moment. You owe it to yourself, your customers and your shareholders to take basic precautions when choosing a cloud supplier.

5. Segregation of duties

For an in-house project you will often have the time to consider how an IT service is going to be delivered. With cloud it can all happen much faster and some basic controls can go out of the window. One of these is the idea that one person should not have complete control over a process. This reduces the temptation to get creative on your own simply because you can. A common example is that of being able to raise a purchase order and approve the invoice that pays it, but less common ones may be to do with who can create a user in a cloud app and who decides what they can do within it. Try to ensure that duties in a cloud environment are designed to be secure, and that means segregated.

6. Access control

ISO27001 places great emphasis on access control and this is even more important in a cloud situation than with internal systems. Cloud systems lack many of the defense in depth features of internal networks which means that basically anyone with a browser can get to the login screen. This makes policies on password strength and expiry much more important and the use of some form of two factor authentication a very good idea.

7. Audit and review

Ok, nobody likes to be audited, but you have to admit that having somebody else check over your security has got to be a good idea. If you sign up for a cloud service and never check that all the promises you were made at the start have been delivered then you’re asking for trouble. The ISO27001 regime of internal audits, management reviews and external audits should help to keep you on your toes enough to avoid any embarrassing security breaches. Or if they do happen, you can blame the auditor (only kidding, auditors).

8. Monitoring and review of supplier services

You may have checked the supplier out when you signed up, and you may be happy with the promised level of service but how do you know that’s actually what you’re getting? Checking that the service being received is the service you’re paying for is the objective of several ISO27001 controls. These also deal with any changes that the supplier makes that could lay you open to a reduced level of security. Like everything else, cloud is a moving target and an ISO27001 management system helps you to cope with change.

 

Making use of cloud services is one of the most effective business enablers of the 21st century so far. Wrapping the ISO27001 standard around the cloud gives you the tools to capitalize on the advantage without risking your security.

Cloud and ISO27001 – a formidable combination.

Over 3000 businesses have purchased our toolkits

Testimonials

It really saved us a lot of time and we would not have made the deadline and budget without the documents. Thank you!

CEO
Technoberg b.v.

View all Testimonials