1、BS ISO/IEC 27036-4:2016Information technology Security techniques Information security forsupplier relationshipsPart 4: Guidelines for security of cloudservicesBSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 27036-4:2016 BRITISH STANDARDNational forewordTh
2、is British Standard is the UK implementation of ISO/IEC 27036-4:2016.The UK participation in its preparation was entrusted to TechnicalCommittee IST/33/4, Security Controls and Services.A list of organizations represented on this committee can be obtained on request to its secretary.This publication
3、 does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016.Published by BSI Standards Limited 2016ISBN 978 0 580 81383 2 ICS 35.040 Compliance with a British Standard cannot confer immunity from l
4、egal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 October 2016.Amendments/corrigenda issued since publicationDate T e x t a f f e c t e dBS ISO/IEC 27036-4:2016Information technology Security techniques Information security
5、for supplier relationships Part 4: Guidelines for security of cloud servicesTechnologies de linformation Techniques de scurit Scurit dinformation pour la relation avec le fournisseur Partie 4: Lignes directrices pour la scurit des services du nuageINTERNATIONAL STANDARDISO/IEC27036-4Reference number
6、ISO/IEC 27036-4:2016(E)First edition2016-10-01 ISO/IEC 2016BS ISO/IEC 27036-4:2016ii ISO/IEC 2016 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in SwitzerlandAll rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise
7、 in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCh. de
8、 Blandonnet 8 CP 401CH-1214 Vernier, Geneva, SwitzerlandTel. +41 22 749 01 11Fax +41 22 749 09 47copyrightiso.orgwww.iso.orgISO/IEC 27036-4:2016(E)BS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E)Foreword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Structure of this
9、document 25 Key cloud concepts and security threats and risks 25.1 Characteristics of cloud computing . 25.2 Cloud service threats and associated risks to the cloud service customer . 35.3 Cloud service threats and associated risks for public cloud deployment model . 45.4 Cloud service threats and a
10、ssociated risks for hybrid cloud deployment model 55.5 Cloud service threats and associated risks for private cloud deployment model 56 Information security controls in cloud service acquisition lifecycle . 66.1 Agreement processes 66.1.1 Acquisition process . 66.1.2 Supply process . 76.2 Organizati
11、onal project-enabling processes 86.3 Project processes 86.3.1 Project planning process . 86.3.2 Project assessment and control process . 86.3.3 Decision management process 86.3.4 Risk management process . 86.3.5 Configuration management process . 86.3.6 Information management process . 96.3.7 Measur
12、ement process . 96.4 Technical processes 96.4.1 Stakeholder requirements definition process 96.4.2 Requirements analysis process . 96.4.3 Architectural design process . 96.4.4 Implementation process . 96.4.5 Integration process .106.4.6 Verification process 106.4.7 Transition process .106.4.8 Valida
13、tion process 106.4.9 Operation process 106.4.10 Maintenance process .106.4.11 Disposal process 117 Information security controls in cloud service providers .117.1 Overview . 117.1.1 Control sets related to cloud service deployment model 117.1.2 Setting information security controls at a cloud servic
14、e provider 117.2 Public cloud deployment model 127.2.1 Infrastructure capabilities type . 127.2.2 Platform capabilities type . 137.2.3 Application capabilities type 137.3 Hybrid cloud deployment model 147.4 Private cloud deployment model . 14Annex A (informative) Information security standards for c
15、loud providers 15Annex B (informative) Mapping to ISO/IEC 27017 controls .19Bibliography .21 ISO/IEC 2016 All rights reserved iiiContents PageBS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Com
16、mission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. I
17、SO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, I
18、SO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance
19、with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Detai
20、ls of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the convenience of users and does not constitute an end
21、orsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.htm
22、l.The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.A list of all parts in the ISO/IEC 27036 series can be found on the ISO website.iv ISO/IEC 2016 All rights reservedBS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E)Introduc
23、tionThis document provides guidance on information security to cloud service customers and cloud service providers. Its application should result in increased understanding and definition of information security in cloud services, increased understanding by the customers of the risks associated with
24、 cloud services to enhance the specification of information security requirements, and increased ability of cloud service providers to provide assurance to customers that they have identified risks in their service(s) and associated supply chains and have taken measures to manage those risks.This do
25、cument is intended to be used by all types of organizations that acquire or supply cloud services. The document is intended primarily for risk owners in cloud service customers, who finally accept the use of the cloud service, and the individual accountable for the cloud service provided by the clou
26、d service provider. The guidance is primarily focused on the initial link of the first cloud service customer and cloud service provider, but the principal steps should be applied throughout the supply chain, starting when the first cloud service provider changes its role to being a cloud service cu
27、stomer and so on. The manner in which this change of roles is repeated and the manner in which the same steps are repeated for each new cloud service customer-cloud service provider link in the chain are central to this document. By following the guidance contained within this document, it should be
28、 possible to have a seamless linkage of information security priorities visible across the supply chain. Information security concerns related to supplier relationships cover a broad range of scenarios. Organizations that wish to improve trust within their cloud service provision should define their
29、 trust boundaries, evaluate the risk associated with their supply chain activities, and then define and implement appropriate risk identification and mitigation techniques to reduce the risk of vulnerabilities being introduced through their cloud service provision supply chain.ISO/IEC 27001 and ISO/
30、IEC 27002 framework and controls provide a useful starting point for identifying appropriate requirements for customers and providers. ISO/IEC 27017 and ISO/IEC 27018 provide guidance on how a cloud service customer and cloud service provider can implement, manage and operate information security fo
31、r a cloud service. ISO/IEC 27036 (all parts) provides further detail regarding specific requirements to be used in establishing and monitoring information security in supplier relationships. This document is based upon the premise that a cloud service customer has applied general information securit
32、y according to an information security management system (ISMS) (ISO/IEC 27001). As a result, much of the content is focused on the cloud service provider and depends on the capabilities type, service category and deployment model of the actual cloud service.Typically, cloud services are purchased “
33、as is”; a cloud service customer has no ability to specify or request changes to the cloud service being purchased. However, in certain cases, the customer has the ability to specify the service and the detail of that service, including the information security arrangements required of the supplier.
34、 ISO/IEC 27036 is written to cover both of these eventualities. This document is written to cover the first of these eventualities and refers to ISO/IEC 27036-1, ISO/IEC 27036-2 and ISO/IEC 27036-3 for the cases when security arrangements can be specified.For a cloud service customer, this means tha
35、t when reading this document, it should be noted that it is only addressing what are cloud service-specific security processes and controls. It is assumed all other general information security processes and controls necessary for the cloud service customer organization are in place to handle inform
36、ation security in the cloud service to be or being used. The general information security processes and controls are found in other ISO/IEC standards and in particular ISO/IEC 27036-1, ISO/IEC 27036-2, ISO/IEC 27036-3, ISO/IEC 27017 and ISO/IEC 27018. ISO/IEC 2016 All rights reserved vBS ISO/IEC 270
37、36-4:2016BS ISO/IEC 27036-4:2016Information technology Security techniques Information security for supplier relationships Part 4: Guidelines for security of cloud services1 ScopeThis document provides cloud service customers and cloud service providers with guidance ona) gaining visibility into the
38、 information security risks associated with the use of cloud services and managing those risks effectively, andb) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services.This document does not i
39、nclude business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity.This document does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in IS
40、O/IEC 27002 and ISO/IEC 27017.The scope of this document is to define guidelines supporting the implementation of information security management for the use of cloud services.2 Normative referencesThe following documents are referred to in the text in such a way that some or all of their content co
41、nstitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.ISO/IEC 17788 | ITU-T Rec. Y.3500, Information technology Cloud computing Overview and vocabulary IS
42、O/IEC 27017 | ITU-T Rec. X.1631, Information technology Security techniques Code of practice for information security controls based on ISO/IEC 27002 for cloud servicesISO/IEC 27036-1, Information technology Security techniques Information security in supplier relationships Part 1: Overview and conc
43、eptsISO/IEC 27036-2, Information technology Security techniques Information security in supplier relationships Part 2: RequirementsISO/IEC 27036-3, Information technology Security techniques Information security in supplier relationships Part 3: Guidelines for information and communication technolog
44、y supply chain security3 Terms and definitionsFor the purposes of this document, the terms and definitions given in ISO/IEC 27036-1, ISO/IEC 27036-2, ISO/IEC 27036-3 and ISO/IEC 17788 | ITU-T Rec. Y.3500 apply.ISO and IEC maintain terminological databases for use in standardization at the following
45、addresses: IEC Electropedia: available at http:/www.electropedia.org/INTERNATIONAL STANDARD ISO/IEC 27036-4:2016(E) ISO/IEC 2016 All rights reserved 1BS ISO/IEC 27036-4:2016ISO/IEC 27036-4:2016(E) ISO Online browsing platform: available at http:/www.iso.org/obp4 Structure of this documentThis docume
46、nt should be used in combination with the other parts within ISO/IEC 27036. It is necessary to follow ISO/IEC 27036-1, ISO/IEC 27036-2 and ISO/IEC 27036-3 to implement the guidelines. This document should be used as additional guidelines for information security specifically addressing cloud service
47、s; security controls for cloud services are found in ISO/IEC 27017 and ISO/IEC 27018. Mapping of security controls can be found in Annex A. This document is structured to be harmonized with ISO/IEC/IEEE 15288 and ISO/IEC 12207. Clause 6 mirrors lifecycle processes provided in those two standards. Th
48、is document is also harmonized with ISO/IEC 27017 and provides a mapping of ISO/IEC 27017 information security controls to the lifecycle processes in Annex B.NOTE 1 Clause 6 is particularly applicable to public cloud deployment models.NOTE 2 In each table presented in Clause 6, a blank column is ins
49、erted between the columns of “cloud service customer” and “cloud service provider”. This blank column indicates that the guidance given for cloud service customer and cloud service provider are separate and not related.The documents named in this document are generic and do not need to be elaborated or be separate documents. Organizations should use existing documents to integrate cloud service supply chain security.5 Key cloud concepts and security threats and risks5.1 Characteristics of cloud computingAccord
