Control Mapping
This below table represents the responsibilities of the Cloud Service Provider (CSP) and End User (EU) in the Cloud Security as per the ISO27001:2013 Standard, and Cloud Security Standard.
*CSP – Cloud Service Provider
*EU – End User
|
ISO 27001:2013 |
IAAS |
PAAS |
SAAS |
|
A.5 Information Security Policies To provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. |
CSP |
CSP |
CSP |
|
A.6 Organization of information security To establish a management framework to initiate and control the implementation and operation of information security within the organization. |
CSP |
CSP |
CSP |
|
ISO 27001:2013 |
IAAS |
PAAS |
SAAS |
|
To ensure the security of teleworking and use of mobile devices. |
|
|
|
|
A.7 Human Resource Security To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. To ensure that employees and contractors are aware of and fulfil their information security responsibilities. To protect the organization’s interests as part of the process of changing or terminating employment. |
CSP |
CSP |
CSP |
|
A.8 Asset Management To identify organizational assets and define appropriate protection responsibilities. To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. To prevent unauthorized disclosure, modification, removal or destruction of information stored on media. |
CSP, EU |
CSP, EU |
CSP |
|
A.9 Access Control To limit access to information and information processing facilities. To ensure authorized user access and to prevent unauthorized access to systems and services. To make users accountable for safeguarding their authentication information. To prevent unauthorized access to systems and applications. |
CSP, EU |
CSP, EU |
CSP, EU |
|
A.10 Cryptography To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. |
CSP, EU |
CSP, EU |
CSP |
|
A.11 Physical & Environmental Security To prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities. To prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations. |
CSP |
CSP |
CSP |
|
A.12 Operation Security |
CSP, EU |
CSP, EU |
CSP |
|
ISO 27001:2013 |
IAAS |
PAAS |
SAAS |
|
To ensure correct and secure operations of information processing facilities. To ensure that information and information processing facilities are protected against malware. To protect against loss of data. To record events and generate evidence. To ensure the integrity of operational systems. To prevent exploitation of technical vulnerabilities. To minimize the impact of audit activities on operational systems. |
|
|
|
|
A.13 Communication Security To ensure the protection of information in networks and its supporting information processing facilities. To maintain the security of information transferred within an organization and with any external entity. |
CSP, EU |
CSP, EU |
CSP |
|
A.14 System acquisition, development and maintenance To ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. To ensure that information security is designed and implemented within the development lifecycle of information systems. To ensure the protection of data used for testing. |
CSP, EU |
CSP, EU |
CSP |
|
A.15 Supplier Relationships To ensure protection of the organization’s assets that is accessible by suppliers. To maintain an agreed level of information security and service delivery in line with supplier Agreements |
CSP, EU |
CSP, EU |
CSP |
|
A.16 Information security incident management To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. |
CSP |
CSP |
CSP |
|
A.17 Information security aspects of business continuity management Information security continuity shall be embedded in the organization’s business continuity management systems. To ensure availability of information processing facilities. |
CSP, EU |
CSP, EU |
CSP |
|
A.18 Compliance |
CSP, EU |
CSP, EU |
CSP, EU |
|
ISO 27001:2013 |
IAAS |
PAAS |
SAAS |
|
To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. To ensure that information security is implemented and operated in accordance with the organizational policies and procedures. |
|
|
|
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
AIS-01 Application & Interface Security Application Security |
CSP,EU |
CSP,EU |
CSP |
|
AIS-02 Application & Interface Security Customer Access Requirements |
CSP,EU |
CSP,EU |
CSP |
|
AIS-03 Application & Interface Security Data Integrity |
CSP,EU |
CSP,EU |
CSP,EU |
|
AIS-04 Application & Interface Security Data Security / Integrity |
CSP,EU |
CSP,EU |
CSP,EU |
|
AAC-01 Audit Assurance & Compliance Audit Planning |
CSP,EU |
CSP,EU |
CSP,EU |
|
AAC-02 Audit Assurance & Compliance Independent Audits |
CSP,EU |
CSP,EU |
CSP,EU |
|
AAC-03 Audit Assurance & Compliance Information System Regulatory Mapping |
CSP |
CSP |
CSP |
|
BCR-01 Business Continuity Management & Operational Resilience Business Continuity Planning |
CSP |
CSP |
CSP |
|
BCR-02 Business Continuity Management & Operational Resilience Business Continuity Testing |
CSP |
CSP |
CSP |
|
BCR-03 Business Continuity Management & Operational Resilience Datacenter Utilities / Environmental Conditions |
CSP |
CSP |
CSP |
|
BCR-04 Business Continuity Management & Operational Resilience Documentation |
CSP |
CSP |
CSP |
|
BCR-05 Business Continuity Management & Operational Resilience Environmental Risks |
CSP |
CSP |
CSP |
|
BCR-06 Business Continuity Management & Operational Resilience Equipment Location |
CSP |
CSP |
CSP |
|
BCR-07 Business Continuity Management & Operational Resilience Equipment Maintenance |
CSP |
CSP |
CSP |
|
BCR-08 Business Continuity Management & Operational Resilience Equipment Power Failures |
CSP |
CSP |
CSP |
|
BCR-09 Business Continuity Management & Operational Resilience Impact Analysis |
CSP |
CSP |
CSP |
|
BCR-10 Business Continuity Management & Operational Resilience Policy |
CSP |
CSP |
CSP |
|
BCR-11 Business Continuity Management & Operational Resilience Retention Policy |
CSP |
CSP |
CSP |
|
CCC-01 Change Control & Configuration Management New Development / Acquisition |
CSP,EU |
CSP,EU |
CSP |
|
CCC-02 Change Control & Configuration Management Outsourced Development |
CSP,EU |
CSP,EU |
CSP |
|
CCC-03 Change Control & Configuration Management Quality Testing |
CSP,EU |
CSP,EU |
CSP,EU |
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
CCC-04 Change Control & Configuration Management Unauthorized Software Installations |
CSP,EU |
CSP,EU |
CSP,EU |
|
CCC-05 Change Control & Configuration Management Production Changes |
CSP,EU |
CSP,EU |
CSP,EU |
|
DSI-01 Data Security & Information Lifecycle Management Classification |
CSP,EU |
CSP,EU |
CSP |
|
DSI-02 Data Security & Information Lifecycle Management Data Inventory / Flows |
CSP,EU |
CSP,EU |
CSP,EU |
|
DSI-03 Data Security & Information Lifecycle Management Ecommerce Transactions |
CSP,EU |
CSP,EU |
CSP |
|
DSI-04 Data Security & Information Lifecycle Management Handling / Labeling / Security Policy |
CSP |
CSP |
CSP |
|
DSI-05 Data Security & Information Lifecycle Management Non- Production Data |
CSP,EU |
CSP,EU |
CSP |
|
DSI-06 Data Security & Information Lifecycle Management Ownership / Stewardship |
CSP,EU |
CSP,EU |
CSP |
|
DSI-07 Data Security & Information Lifecycle Management Secure Disposal |
CSP |
CSP |
CSP |
|
DCS-01 Datacenter Security Asset Management |
CSP |
CSP |
CSP |
|
DCS-02 Datacenter Security Controlled Access Points |
CSP |
CSP |
CSP |
|
DCS-03 Datacenter Security Equipment Identification |
CSP |
CSP |
CSP |
|
DCS-04 Datacenter Security Off-Site Authorization |
CSP,EU |
CSP,EU |
CSP,EU |
|
DCS-05 Datacenter Security Off-Site Equipment |
CSP,EU |
CSP,EU |
CSP |
|
DCS-06 Datacenter Security Policy |
CSP |
CSP |
CSP |
|
DCS-07 Datacenter Security Secure Area Authorization |
CSP |
CSP |
CSP |
|
DCS-08 Datacenter Security Unauthorized Persons Entry |
CSP |
CSP |
CSP |
|
DCS-09 Datacenter Security User Access |
CSP,EU |
CSP,EU |
CSP,EU |
|
EKM-01 Encryption & Key Management Entitlement |
CSP,EU |
CSP,EU |
CSP |
|
EKM-02 Encryption & Key Management Key Generation |
CSP,EU |
CSP,EU |
CSP,EU |
|
EKM-03 Encryption & Key Management Sensitive Data Protection |
CSP,EU |
CSP,EU |
CSP,EU |
|
EKM-04 Encryption & Key Management Storage and Access |
CSP,EU |
CSP,EU |
CSP,EU |
|
GRM-01 Governance and Risk Management Baseline Requirements |
CSP,EU |
CSP,EU |
CSP |
|
GRM-02 Governance and Risk Management Data Focus Risk Assessments |
CSP |
CSP |
CSP |
|
GRM-03 Governance and Risk Management Oversight |
CSP |
CSP |
CSP |
|
GRM-04 Governance and Risk Management Program |
CSP |
CSP |
CSP |
|
GRM-05 Governance and Risk Management Support/Involvement |
CSP |
CSP |
CSP |
|
GRM-06 Governance and Risk Management Policy |
CSP |
CSP |
CSP |
|
GRM-07 Governance and Risk Management Policy Enforcement |
CSP,EU |
CSP,EU |
CSP,EU |
|
GRM-08 Governance and Risk Management Policy Impact on Risk Assessments |
CSP,EU |
CSP,EU |
CSP |
|
GRM-09 Governance and Risk Management Policy Reviews |
CSP |
CSP |
CSP |
|
GRM-10 Governance and Risk Management Risk Assessments |
CSP |
CSP |
CSP |
|
GRM-11 Governance and Risk Management Risk Management Framework |
CSP |
CSP |
CSP |
|
HRS-01 Human Resources Asset Returns |
CSP |
CSP |
CSP |
|
HRS-02 Human Resources Background Screening |
CSP |
CSP |
CSP |
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
HRS-03 Human Resources Employment Agreements |
CSP |
CSP |
CSP |
|
HRS-04 Human Resources Employment Termination |
CSP |
CSP |
CSP |
|
HRS-05 Human Resources Mobile Device Management |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-06 Human Resources Non-Disclosure Agreements |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-07 Human Resources Roles / Responsibilities |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-08 Human Resources Technology Acceptable Use |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-09 Human Resources Training / Awareness |
CSP |
CSP |
CSP |
|
HRS-10 Human Resources User Responsibility |
CSP,EU |
CSP,EU |
CSP,EU |
|
HRS-11 Human Resources Workspace |
CSP |
CSP |
CSP |
|
IAM-01 Identity & Access Management Audit Tools Access |
CSP |
CSP |
CSP |
|
IAM-02 Identity & Access Management Credential Lifecycle / Provision Management |
CSP,EU |
CSP,EU |
CSP,EU |
|
IAM-03 Identity & Access Management Diagnostic / Configuration Ports Access |
CSP |
CSP |
CSP |
|
IAM-04 Identity & Access Management Policies and Procedures |
CSP |
CSP |
CSP |
|
IAM-05 Identity & Access Management Segregation of Duties |
CSP |
CSP |
CSP |
|
IAM-06 Identity & Access Management Source Code Access Restriction |
CSP |
CSP |
CSP,EU |
|
IAM-07 Identity & Access Management Third Party Access |
CSP,EU |
CSP,EU |
CSP,EU |
|
IAM-08 Identity & Access Management Trusted Sources |
CSP,EU |
CSP,EU |
CSP,EU |
|
IAM-09 Identity & Access Management User Access Authorization |
CSP,EU |
CSP,EU |
CSP |
|
IAM-10 Identity & Access Management User Access Reviews |
CSP,EU |
CSP,EU |
CSP |
|
IAM-11 Identity & Access Management User Access Revocation |
CSP,EU |
CSP,EU |
CSP,EU |
|
IAM-12 Identity & Access Management User ID Credentials |
EU |
CSP,EU |
CSP,EU |
|
IAM-13 Identity & Access Management Utility Programs Access |
EU |
CSP,EU |
CSP |
|
IVS-01 Infrastructure & Virtualization Security Audit Logging / Intrusion Detection |
CSP |
CSP |
CSP |
|
IVS-02 Infrastructure & Virtualization Security Change Detection |
CSP,EU |
CSP,EU |
CSP,EU |
|
IVS-03 Infrastructure & Virtualization Security Clock Synchronization |
CSP,EU |
CSP,EU |
CSP,EU |
|
IVS-04 Infrastructure & Virtualization Security Information System Documentation |
CSP |
CSP |
CSP |
|
IVS-05 Infrastructure & Virtualization Security Vulnerability Management |
CSP |
CSP |
CSP |
|
IVS-06 Infrastructure & Virtualization Security Network Security |
CSP |
CSP |
CSP |
|
IVS-07 Infrastructure & Virtualization Security OS Hardening and Base Controls |
CSP |
CSP |
CSP |
|
IVS-08 Infrastructure & Virtualization Security Production / Non- Production Environments |
CSP |
CSP |
CSP |
|
IVS-09 Infrastructure & Virtualization Security Segmentation |
CSP |
CSP |
CSP |
|
IVS-10 Infrastructure & Virtualization Security VM Security - Data Protection |
CSP |
CSP |
CSP |
|
IVS-11 Infrastructure & Virtualization Security Hypervisor Hardening |
CSP |
CSP |
CSP |
|
IVS-12 Infrastructure & Virtualization Security Wireless Security |
CSP |
CSP |
CSP |
|
IVS-13 Infrastructure & Virtualization Security Network Architecture |
CSP |
CSP |
CSP |
|
IPY-01 Interoperability & Portability APIs |
CSP,EU |
CSP,EU |
CSP,EU |
|
IPY-02 Interoperability & Portability Data Request |
CSP |
CSP |
CSP |
|
IPY-03 Interoperability & Portability Policy & Legal |
CSP |
CSP |
CSP |
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
IPY-04 Interoperability & Portability Standardized Network Protocols |
CSP |
CSP |
CSP |
|
IPY-05 Interoperability & Portability Virtualization |
CSP |
CSP |
CSP |
|
MOS-01 Mobile Security Anti-Malware |
EU |
CSP,EU |
CSP,EU |
|
MOS-02 Mobile Security Application Stores |
EU |
CSP,EU |
CSP,EU |
|
MOS-03 Mobile Security Approved Applications |
EU |
CSP,EU |
CSP,EU |
|
MOS-04 Mobile Security Approved Software for BYOD |
CSP |
CSP |
CSP |
|
MOS-05 Mobile Security Awareness and Training |
CSP |
CSP |
CSP |
|
MOS-06 Mobile Security Cloud Based Services |
CSP,EU |
CSP,EU |
CSP,EU |
|
MOS-07 Mobile Security Compatibility |
CSP |
CSP |
CSP |
|
MOS-08 Mobile Security Device Eligibility |
EU |
EU |
CSP |
|
MOS-09 Mobile Security Device Inventory |
CSP |
CSP |
CSP |
|
MOS-10 Mobile Security Device Management |
CSP |
CSP |
CSP |
|
MOS-11 Mobile Security Encryption |
CSP |
CSP |
CSP |
|
MOS-12 Mobile Security Jailbreaking and Rooting |
EU |
EU |
EU |
|
MOS-13 Mobile Security Legal |
CSP |
CSP |
CSP |
|
MOS-14 Mobile Security Lockout Screen |
CSP |
CSP |
CSP |
|
MOS-15 Mobile Security Operating Systems |
CSP,EU |
CSP,EU |
CSP,EU |
|
MOS-16 Mobile Security Passwords |
EU |
EU |
EU |
|
MOS-17 Mobile Security Policy |
CSP |
CSP |
CSP |
|
MOS-18 Mobile Security Remote Wipe |
CSP,EU |
CSP,EU |
CSP,EU |
|
MOS-19 Mobile Security Patches |
EU |
EU |
EU |
|
MOS-20 Mobile Security Users |
CSP,EU |
CSP,EU |
CSP,EU |
|
SEF-01 Security Incident Management, E-Discovery, & Cloud Forensics Contact / Authority Maintenance |
CSP |
CSP |
CSP |
|
SEF-02 Security Incident Management, E-Discovery, & Cloud Forensics Incident Management |
CSP |
CSP |
CSP |
|
SEF-03 Security Incident Management, E-Discovery, & Cloud Forensics Incident Reporting |
CSP |
CSP |
CSP |
|
SEF-04 Security Incident Management, E-Discovery, & Cloud Forensics Incident Response Legal Preparation |
CSP |
CSP |
CSP |
|
SEF-05 Security Incident Management, E-Discovery, & Cloud Forensics Incident Response Metrics |
CSP |
CSP |
CSP |
|
STA-01 Supply Chain Management, Transparency, and Accountability Data Quality and Integrity |
CSP |
CSP |
CSP |
|
STA-02 Supply Chain Management, Transparency, and Accountability Incident Reporting |
CSP |
CSP |
CSP |
|
STA-03 Supply Chain Management, Transparency, and Accountability Network / Infrastructure Services |
CSP,EU |
CSP,EU |
CSP,EU |
|
STA-04 Supply Chain Management, Transparency, and Accountability Provider Internal Assessments |
CSP |
CSP |
CSP |
|
STA-05 Supply Chain Management, Transparency, and Accountability Supply Chain Agreements |
CSP,EU |
CSP,EU |
CSP,EU |
|
STA-06 Supply Chain Management, Transparency, and Accountability Supply Chain Governance Reviews |
CSP,EU |
CSP,EU |
CSP,EU |
|
STA-07 Supply Chain Management, Transparency, and Accountability |
CSP,EU |
CSP,EU |
CSP,EU |
|
Cloud Security Standard |
IAAS |
PAAS |
SAAS |
|
Supply Chain Metrics |
|
|
|
|
STA-08 Supply Chain Management, Transparency, and Accountability Third Party Assessment |
CSP,EU |
CSP,EU |
CSP,EU |
|
STA-09 Supply Chain Management, Transparency, and Accountability Third Party Audits |
CSP,EU |
CSP,EU |
CSP,EU |
|
TVM-01 Threat and Vulnerability Management Anti-Virus / Malicious Software |
EU |
EU |
CSP |
|
TVM-02 Threat and Vulnerability Management Vulnerability / Patch Management |
EU |
EU |
CSP |
|
TVM-03 Threat and Vulnerability Management Mobile Code |
CSP,EU |
CSP,EU |
CSP,EU |
No Comments