Cloud Computing Policy
ISO/IEC 27001 Toolkit Version 8 ©CertiKit
Cloud Computing Policy [Insert Classification]
Implementation Guidance (The header page and this section must be removed from final version of the document)
Purpose of this document This document describes how services provided by third parties will be monitored and reviewed.
Areas of the standard addressed The following areas of the ISO/IEC 27001:2013 standard are addressed by this document: Annex A A.5 Information security policies A.5.1 Management direction for information security A.5.1.1 Policies for information security A.15 Supplier relationships A.15.1 Information security in supplier relationships
General Guidance Cloud computing is now in general use and introduces its own specific challenges. The key is to ensure that you are maintaining sufficient control and due diligence over the selection and use of cloud services so that data is not exposed to unacceptable risks. Many of the other policies that govern aspects such as access control and backups will also apply to cloud services and these become even more important when your data is stored outside of your internal network.
Review Frequency We would recommend that this document is reviewed annually.
Toolkit Version Number ISO/IEC 27001 Toolkit Version 8 ŠCertiKit.
Version 1
Page 1 of 9
[Insert date]
Cloud Computing Policy [Insert Classification]
Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions within the Project Resources folder.
Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a trading name of Public I.T. Limited, a company registered in England and Wales with company number 6432088 and registered office at 5 Falcons Rise, Belper, Derbyshire, DE56 0QN.
Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third party copyright included in this document.
Version 1
Page 2 of 9
[Insert date]
Cloud Computing Policy [Insert Classification]
Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.
Version 1
Page 3 of 9
[Insert date]
Cloud Computing Policy [Insert Classification]
[Replace with your logo]
Cloud Computing Policy
Document Classification: Document Ref. Version: Dated: Document Author: Document Owner:
Version 1
Page 4 of 9
[Insert Classification] ISMS-DOC-A05-3 1 [Insert date]
[Insert date]
Cloud Computing Policy [Insert Classification]
Revision History Version Date
Revision Author
Summary of Changes
Distribution Name
Title
Approval Name
Version 1
Position
Signature
Page 5 of 9
Date
[Insert date]
Cloud Computing Policy [Insert Classification]
Contents 1
INTRODUCTION ....................................................................................................................................... 7
2
POLICY ....................................................................................................................................................... 8
Version 1
Page 6 of 9
[Insert date]
Cloud Computing Policy [Insert Classification]
1 Introduction The purpose of this document is to set out the organization’s policy in the area of cloud computing. [Organization Name] makes extensive use of cloud computing services in the delivery of its core business systems. The nature of these services is such that data is stored outside of the [Organization Name] internal network and is subject to access and management by a third party. Furthermore, many cloud services are offered on a multi-tenanted basis in which the infrastructure is shared across multiple customers of the Cloud Service Provider (CSP), making effective and secure segregation a key requirement. It is therefore essential that rules are established for the selection and management of cloud computing services so that data is appropriately protected according to its business value and classification. Cloud computing is generally accepted to consist of the following types of services: Software-as-a-Service (SaaS) – the provision of a hosted application for use as part of a business process. Hosting usually includes all supporting components for the application such as hardware, operating software, databases etc. Platform-as-a-Service (PaaS) – hardware and supporting software such as operating system, database, development platform, web server etc. are provided but no business applications Infrastructure-as-a-Service (IaaS) – only physical or virtual hardware components are provided This policy applies to the use of all types of cloud computing services and is particularly relevant where application data is stored.
Version 1
Page 7 of 9
[Insert date]
Cloud Computing Policy [Insert Classification]
2 Policy It is [Organization Name] policy in the area of cloud computing that: Data belonging to [Organization Name] will only be stored within cloud services with the prior permission of the Chief Information Officer. Appropriate risk assessment must be carried out regarding proposed or continued use of cloud services, including a full understanding of the information security controls implemented by the CSP. Due diligence must be conducted prior to sign-up to a cloud service provider to ensure that appropriate controls will be in place to protect data. Preference will be given to suppliers who are certified to the ISO/IEC 27001:2013 international standard and who comply to the principles of the ISO/IEC 27017 and ISO/IEC 27018 codes of practice for cloud services. Service level agreements and contracts with cloud service providers must be reviewed, understood and accepted before sign-up to the service. Roles and responsibilities for activities such as backups, patching, log management, malware protection and incident management must be agreed and documented prior to the commencement of the cloud service. Procedures must be established to perform activities in the cloud environment that are irreversible e.g. deletion of virtual servers, terminating a cloud service or restoration from backups. Supervision by a second, suitably-qualified person must be a stated part of such procedures. The location of the data must be understood e.g. UK, EU, USA and the applicable legal basis established, such as the country whose law applies to the contract. Where available, two factor authentication must be used to access all cloud services. Sufficient audit logging must be available to allow [Organization Name] to understand the ways in which its data is being accessed and to identify whether any unauthorized access has occurred. Confidential data stored in cloud services must be encrypted at rest and in transit using acceptable technologies and techniques. Where possible encryption keys will be held by [Organization Name] rather than the supplier. [Organization Name] policies for the creation and management of user accounts will apply to cloud services. Backups must be taken of all data stored in the cloud. This may be performed either directly by [Organization Name] or under contract by the cloud service provider.
Version 1
Page 8 of 9
[Insert date]
Cloud Computing Policy [Insert Classification]
All [Organization Name] data must be removed from cloud services in the event of a contract coming to an end for whatever reason. Data must not be stored in the cloud for longer than is necessary to deliver business processes.
Version 1
Page 9 of 9
[Insert date]