1、BS ISO/IEC 27036-4:2016 Information technology Security techniques Information security for supplier relationships Part 4: Guidelines for security of cloud services BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 27036-4:2016 BRITISH STANDARD National for
2、eword This British Standard is the UK implementation of ISO/IEC 27036-4:2016. The UK participation in its preparation was entrusted to Technical Committee IST/33/4, Security Controls and Services. A list of organizations represented on this committee can be obtained on request to its secretary. This
3、 publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 81383 2 ICS 35.040 Compliance with a British Standard cannot confer i
4、mmunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 October 2016. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dBS ISO/IEC 27036-4:2016 Information technology Security techniques Inf
5、ormation security for supplier relationships Part 4: Guidelines for security of cloud services Technologies de linformation Techniques de scurit Scurit dinformation pour la relation avec le fournisseur Partie 4: Lignes directrices pour la scurit des services du nuage INTERNATIONAL STANDARD ISO/IEC 2
6、7036-4 Reference number ISO/IEC 27036-4:2016(E) First edition 2016-10-01 ISO/IEC 2016 BS ISO/IEC 27036-4:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be rep
7、roduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the request
8、er. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 27036-4:2016(E)BS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T er
9、ms and definitions . 1 4 Structure of this document 2 5 Key cloud concepts and security threats and risks 2 5.1 Characteristics of cloud computing . 2 5.2 Cloud service threats and associated risks to the cloud service customer . 3 5.3 Cloud service threats and associated risks for public cloud depl
10、oyment model . 4 5.4 Cloud service threats and associated risks for hybrid cloud deployment model 5 5.5 Cloud service threats and associated risks for private cloud deployment model 5 6 Information security controls in cloud service acquisition lifecycle .6 6.1 Agreement processes 6 6.1.1 Acquisitio
11、n process . 6 6.1.2 Supply process . 7 6.2 Organizational project-enabling processes 8 6.3 Project processes 8 6.3.1 Project planning process . 8 6.3.2 Project assessment and control process . 8 6.3.3 Decision management process 8 6.3.4 Risk management process . 8 6.3.5 Configuration management proc
12、ess . 8 6.3.6 Information management process . 9 6.3.7 Measurement process . 9 6.4 Technical processes 9 6.4.1 Stakeholder requirements definition process 9 6.4.2 Requirements analysis process . 9 6.4.3 Architectural design process . 9 6.4.4 Implementation process . 9 6.4.5 Integration process .10 6
13、.4.6 Verification process 10 6.4.7 Transition process .10 6.4.8 Validation process 10 6.4.9 Operation process 10 6.4.10 Maintenance process .10 6.4.11 Disposal process 11 7 Information security controls in cloud service providers .11 7.1 Overview .11 7.1.1 Control sets related to cloud service deplo
14、yment model 11 7.1.2 Setting information security controls at a cloud service provider 11 7.2 Public cloud deployment model12 7.2.1 Infrastructure capabilities type .12 7.2.2 Platform capabilities type .13 7.2.3 Application capabilities type 13 7.3 Hybrid cloud deployment model 14 7.4 Private cloud
15、deployment model .14 Annex A (informative) Information security standards for cloud providers 15 Annex B (informative) Mapping to ISO/IEC 27017 controls .19 Bibliography .21 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E) Foreword ISO (the Internation
16、al Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by
17、 the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of
18、 information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
19、different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and
20、IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this do
21、cument is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in
22、the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. A list of all parts in the ISO/IEC 27036 series can be found on the ISO websit
23、e.iv ISO/IEC 2016 All rights reservedBS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E) Introduction This document provides guidance on information security to cloud service customers and cloud service providers. Its application should result in increased understanding and definition of information secu
24、rity in cloud services, increased understanding by the customers of the risks associated with cloud services to enhance the specification of information security requirements, and increased ability of cloud service providers to provide assurance to customers that they have identified risks in their
25、service(s) and associated supply chains and have taken measures to manage those risks. This document is intended to be used by all types of organizations that acquire or supply cloud services. The document is intended primarily for risk owners in cloud service customers, who finally accept the use o
26、f the cloud service, and the individual accountable for the cloud service provided by the cloud service provider. The guidance is primarily focused on the initial link of the first cloud service customer and cloud service provider, but the principal steps should be applied throughout the supply chai
27、n, starting when the first cloud service provider changes its role to being a cloud service customer and so on. The manner in which this change of roles is repeated and the manner in which the same steps are repeated for each new cloud service customer-cloud service provider link in the chain are ce
28、ntral to this document. By following the guidance contained within this document, it should be possible to have a seamless linkage of information security priorities visible across the supply chain. Information security concerns related to supplier relationships cover a broad range of scenarios. Org
29、anizations that wish to improve trust within their cloud service provision should define their trust boundaries, evaluate the risk associated with their supply chain activities, and then define and implement appropriate risk identification and mitigation techniques to reduce the risk of vulnerabilit
30、ies being introduced through their cloud service provision supply chain. ISO/IEC 27001 and ISO/IEC 27002 framework and controls provide a useful starting point for identifying appropriate requirements for customers and providers. ISO/IEC 27017 and ISO/IEC 27018 provide guidance on how a cloud servic
31、e customer and cloud service provider can implement, manage and operate information security for a cloud service. ISO/IEC 27036 (all parts) provides further detail regarding specific requirements to be used in establishing and monitoring information security in supplier relationships. This document
32、is based upon the premise that a cloud service customer has applied general information security according to an information security management system (ISMS) (ISO/IEC 27001). As a result, much of the content is focused on the cloud service provider and depends on the capabilities type, service cate
33、gory and deployment model of the actual cloud service. Typically, cloud services are purchased “as is”; a cloud service customer has no ability to specify or request changes to the cloud service being purchased. However, in certain cases, the customer has the ability to specify the service and the d
34、etail of that service, including the information security arrangements required of the supplier. ISO/IEC 27036 is written to cover both of these eventualities. This document is written to cover the first of these eventualities and refers to ISO/IEC 27036-1, ISO/IEC 27036-2 and ISO/IEC 27036-3 for th
35、e cases when security arrangements can be specified. For a cloud service customer, this means that when reading this document, it should be noted that it is only addressing what are cloud service-specific security processes and controls. It is assumed all other general information security processes
36、 and controls necessary for the cloud service customer organization are in place to handle information security in the cloud service to be or being used. The general information security processes and controls are found in other ISO/IEC standards and in particular ISO/IEC 27036-1, ISO/IEC 27036-2, I
37、SO/IEC 27036-3, ISO/IEC 27017 and ISO/IEC 27018. ISO/IEC 2016 All rights reserved vBS ISO/IEC 27036-4:2016BS ISO/IEC 27036-4:2016Information technology Security techniques Information security for supplier relationships Part 4: Guidelines for security of cloud services 1 Scope This document provides
38、 cloud service customers and cloud service providers with guidance on a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and b) responding to risks specific to the acquisition or provision of cloud services that c
39、an have an information security impact on organizations using these services. This document does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity. This document does not provide guidance on how a cloud service p
40、rovider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017. The scope of this document is to define guidelines supporting the implementation of information security management for the use of cloud services. 2 Normative referen
41、ces The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) ap
42、plies. ISO/IEC 17788 | ITU-T Rec. Y.3500, Information technology Cloud computing Overview and vocabulary ISO/IEC 27017 | ITU-T Rec. X.1631, Information technology Security techniques Code of practice for information security controls based on ISO/IEC 27002 for cloud services ISO/IEC 27036-1, Informa
43、tion technology Security techniques Information security in supplier relationships Part 1: Overview and concepts ISO/IEC 27036-2, Information technology Security techniques Information security in supplier relationships Part 2: Requirements ISO/IEC 27036-3, Information technology Security techniques
44、 Information security in supplier relationships Part 3: Guidelines for information and communication technology supply chain security 3 T erms a nd definiti ons For the purposes of this document, the terms and definitions given in ISO/IEC 27036-1, ISO/IEC 27036- 2, ISO/IEC 27036-3 and ISO/IEC 17788
45、| ITU-T Rec. Y.3500 apply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ INTERNATIONAL ST ANDARD ISO/IEC 27036-4:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 27036-4:2016ISO/IE
46、C 27036-4:2016(E) ISO Online browsing platform: available at http:/ /www.iso.org/obp 4 Structure of this document This document should be used in combination with the other parts within ISO/IEC 27036. It is necessary to follow ISO/IEC 27036-1, ISO/IEC 27036-2 and ISO/IEC 27036-3 to implement the gui
47、delines. This document should be used as additional guidelines for information security specifically addressing cloud services; security controls for cloud services are found in ISO/IEC 27017 and ISO/IEC 27018. Mapping of security controls can be found in Annex A. This document is structured to be h
48、armonized with ISO/IEC/IEEE 15288 and ISO/IEC 12207. Clause 6 mirrors lifecycle processes provided in those two standards. This document is also harmonized with ISO/IEC 27017 and provides a mapping of ISO/IEC 27017 information security controls to the lifecycle processes in Annex B. NOTE 1 Clause 6
49、is particularly applicable to public cloud deployment models. NOTE 2 In each table presented in Clause 6, a blank column is inserted between the columns of “cloud service customer” and “cloud service provider”. This blank column indicates that the guidance given for cloud service customer and cloud service provider are separate and not related. The documents named in this document are generic and do not need to be elaborated or be separate documents. Organizati
