ISO/IEC 27036-4:2016
(Main)Information technology — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services
Information technology — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services
ISO/IEC 27036-4:2016 provides cloud service customers and cloud service providers with guidance on a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services. ISO/IEC 27036-4:2016 does not include business continuity management/resiliency issues involved with the cloud service. ISO/IEC 27031 addresses business continuity. ISO/IEC 27036-4:2016 does not provide guidance on how a cloud service provider should implement, manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017. The scope of ISO/IEC 27036-4:2016 is to define guidelines supporting the implementation of information security management for the use of cloud services.
Technologies de l'information — Techniques de sécurité — Sécurité d'information pour la relation avec le fournisseur — Partie 4: Lignes directrices pour la sécurité des services du nuage
General Information
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 27036-4
First edition
2016-10-01
Information technology — Security
techniques — Information security for
supplier relationships —
Part 4:
Guidelines for security of cloud
services
Technologies de l’information — Techniques de sécurité — Sécurité
d’information pour la relation avec le fournisseur —
Partie 4: Lignes directrices pour la sécurité des services du nuage
Reference number
ISO/IEC 27036-4:2016(E)
©
ISO/IEC 2016
---------------------- Page: 1 ----------------------
ISO/IEC 27036-4:2016(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 27036-4:2016(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Structure of this document . 2
5 Key cloud concepts and security threats and risks . 2
5.1 Characteristics of cloud computing . 2
5.2 Cloud service threats and associated risks to the cloud service customer . 3
5.3 Cloud service threats and associated risks for public cloud deployment model . 4
5.4 Cloud service threats and associated risks for hybrid cloud deployment model . 5
5.5 Cloud service threats and associated risks for private cloud deployment model . 5
6 Information security controls in cloud service acquisition lifecycle .6
6.1 Agreement processes . 6
6.1.1 Acquisition process . 6
6.1.2 Supply process . 7
6.2 Organizational project-enabling processes . 8
6.3 Project processes . 8
6.3.1 Project planning process . 8
6.3.2 Project assessment and control process . 8
6.3.3 Decision management process . 8
6.3.4 Risk management process . 8
6.3.5 Configuration management process . 8
6.3.6 Information management process . 9
6.3.7 Measurement process . 9
6.4 Technical processes . 9
6.4.1 Stakeholder requirements definition process . 9
6.4.2 Requirements analysis process . 9
6.4.3 Architectural design process . 9
6.4.4 Implementation process . 9
6.4.5 Integration process .10
6.4.6 Verification process .10
6.4.7 Transition process .10
6.4.8 Validation process . . .10
6.4.9 Operation process .10
6.4.10 Maintenance process .10
6.4.11 Disposal process .11
7 Information security controls in cloud service providers .11
7.1 Overview .11
7.1.1 Control sets related to cloud service deployment model .11
7.1.2 Setting information security controls at a cloud service provider .11
7.2 Public cloud deployment model.12
7.2.1 Infrastructure capabilities type .12
7.2.2 Platform capabilities type .13
7.2.3 Application capabilities type .13
7.3 Hybrid cloud deployment model .14
7.4 Private cloud deployment model .14
Annex A (informative) Information security standards for cloud providers .15
Annex B (informative) Mapping to ISO/IEC 27017 controls .19
Bibliography .21
© ISO/IEC 2016 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 27036-4:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment,
as well as information about ISO’s adherence to the World Trade Organization (WTO) principles in the
Technical Barriers to Trade (TBT) see the following URL: www.iso.org/iso/foreword.html.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, IT Security techniques.
A list of all parts in the ISO/IEC 27036 series can be found on the ISO website.
iv © ISO/IEC 2016 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 27036-4:2016(E)
Introduction
This document provides guidance on information security to cloud service customers and cloud service
providers. Its application should result in
— increased understanding and definition of information security in cloud services,
— increased understanding by the customers of the risks associated with cloud services to enhance
the specification of information security requirements, and
— increased ability of cloud service providers to provide assurance to customers that they have
identified risks in their service(s) and associated supply chains and have taken measures to manage
those risks.
This document is intended to be used by all types of organizations that acquire or supply cloud services.
The document is intended primarily for risk owners in cloud service customers, who finally accept the
use of the cloud service, and the individual accountable for the cloud service provided by the cloud
service provider. The guidance is primarily focused on the initial link of the first cloud service customer
and cloud service provider, but the principal steps should be applied throughout the supply chain,
starting when the first cloud service provider changes its role to being a cloud service customer and so
on. The manner in which this change of roles is repeated and the manner in which the same steps are
repeated for each new cloud service customer-cloud service provider link in the chain are central to this
document. By following the guidance contained within this document, it should be possible to have a
seamless linkage of information security priorities visible across the supply chain. Information security
concerns related to supplier relationships cover a broad range of scenarios. Organizations that wish
to improve trust within their cloud service provision should define their trust boundaries, evaluate
the risk associated with their supply chain activities, and then define and implement appropriate risk
identification and mitigation techniques to reduce the risk of vulnerabilities being introduced through
their cloud service provision supply chain.
ISO/IEC 27001 and ISO/IEC 27002 framework and controls provide a useful starting point for
identifying appropriate requirements for customers and providers. ISO/IEC 27017 and ISO/IEC 27018
provide guidance on how a cloud service customer and cloud service provider can implement, manage
and operate information security for a cloud service. ISO/IEC 27036 (all parts) provides further detail
regarding specific requirements to be used in establishing and monitoring information security in
supplier relationships. This document is based upon the premise that a cloud service customer has
applied general information security according to an information security management system (ISMS)
(ISO/IEC 27001). As a result, much of the content is focused on the cloud service provider and depends
on the capabilities type, service category and deployment model of the actual cloud service.
Typically, cloud services are purchased “as is”; a cloud service customer has no ability to specify or
request changes to the cloud service being purchased. However, in certain cases, the customer has
the ability to specify the service and the detail of that service, including the information security
arrangements required of the supplier. ISO/IEC 27036 is written to cover both of these eventualities.
This document is written to cover the first of these eventualities and refers to ISO/IEC 27036-1,
ISO/IEC 27036-2 and ISO/IEC 27036-3 for the cases when security arrangements can be specified.
For a cloud service customer, this means that when reading this document, it should be noted that it
is only addressing what are cloud service-specific security processes and controls. It is assumed all
other general information security processes and controls necessary for the cloud service customer
organization are in place to handle information security in the cloud service to be or being used. The
general information security processes and controls are found in other ISO/IEC standards and in
particular ISO/IEC 27036-1, ISO/IEC 27036-2, ISO/IEC 27036-3, ISO/IEC 27017 and ISO/IEC 27018.
© ISO/IEC 2016 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 27036-4:2016(E)
Information technology — Security techniques —
Information security for supplier relationships —
Part 4:
Guidelines for security of cloud services
1 Scope
This document provides cloud service customers and cloud service providers with guidance on
a) gaining visibility into the information security risks associated with the use of cloud services and
managing those risks effectively, and
b) responding to risks specific to the acquisition or provision of cloud services that can have an
information security impact on organizations using these services.
This document does not include business continuity management/resiliency issues involved with the
cloud service. ISO/IEC 27031 addresses business continuity.
This document does not provide guidance on how a cloud service provider should implement, manage
and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017.
The scope of this document is to define guidelines supporting the implementation of information
security management for the use of cloud services.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17788 | ITU-T Rec. Y.3500, Information technology — Cloud computing — Overview and
vocabulary
ISO/IEC 27017 | ITU-T Rec. X.1631, Information technology — Security techniques — Code of practice for
information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27036-1, Information technology — Security techniques — Information security in supplier
relationships — Part 1: Overview and concepts
ISO/IEC 27036-2, Information technology — Security techniques — Information security in supplier
relationships — Part 2: Requirements
ISO/IEC 27036-3, Information technology — Security techniques — Information security in supplier
relationships — Part 3: Guidelines for information and communication technology supply chain security
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27036-1, ISO/IEC 27036-
2, ISO/IEC 27036-3 and ISO/IEC 17788 | ITU-T Rec. Y.3500 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
© ISO/IEC 2016 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 27036-4:2016(E)
— ISO Online browsing platform: available at http://www.iso.org/obp
4 Structure of this document
This document should be used in combination with the other parts within ISO/IEC 27036. It is necessary
to follow ISO/IEC 27036-1, ISO/IEC 27036-2 and ISO/IEC 27036-3 to implement the guidelines. This
document should be used as additional guidelines for information security specifically addressing
cloud services; security controls for cloud services are found in ISO/IEC 27017 and ISO/IEC 27018.
Mapping of security controls can be found in Annex A. This document is structured to be harmonized
with ISO/IEC/IEEE 15288 and ISO/IEC 12207. Clause 6 mirrors lifecycle processes provided in those
two standards. This document is also harmonized with ISO/IEC 27017 and provides a mapping of
ISO/IEC 27017 information security controls to the lifecycle processes in Annex B.
NOTE 1 Clause 6 is particularly applicable to public cloud deployment models.
NOTE 2 In each table presented in Clause 6, a blank column is inserted between the columns of “cloud service
customer” and “cloud service provider”. This blank column indicates that the guidance given for cloud service
customer and cloud service provider are separate and not related.
The documents named in this document are generic and do not need to be elaborated or be separate
documents. Organizations should use existing documents to integrate cloud service supply chain
security.
5 Key cloud concepts and security threats and risks
5.1 Characteristics of cloud computing
According to the definition of cloud computing, underpinning the cloud capabilities types and cloud
service categories are a number of technologies (such as server virtualization and Service Oriented
Architecture) that enable provision of the service. These cloud services typically use shared resources
in which a cloud service provider can move and process a cloud service customer’s information to
deliver the most efficient service at minimal cost.
ISO/IEC 17788 defines three cloud capabilities types which are typically shared and consumed by many
cloud service customers in supplier relationships. The following are the defined capabilities types:
a) application;
b) infrastructure;
c) platform.
Within ISO/IEC 27036, the term “acquirer” is used to indicate a stakeholder that procures a product or
service from another party and an organization; the term “supplier” is used for an individual that enters
into agreement with the acquirer for the supply of a product or service, respectively. In this document,
the terms cloud service customer for the acquirer and cloud service provider for the supplier are used
to differentiate between the roles in supplier relationships and to highlight specific roles regarding
cloud services.
There are differences and similarities in acquisition process between public cloud deployment models
and ICT outsourcing as shown in Figure 1. The following highlights differences between use of cloud
services based on the public cloud deployment model and other information services.
a) The cloud service is generally standardized with limited flexibility for customization;
b) The cloud service provider provides the cloud service customers with pre-determined information
security controls;
c) The cloud service provider does not usually accept an audit being conducted by an individual
customer;
2 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 27036-4:2016(E)
d) The cloud service customer’s information security depends on the cloud service provider’s ability
to implement information security in the cloud service for the customer;
e) The cloud service provider offers the service to the cloud service customer with a pre-determined
agreement to be used as is without changes;
For hybrid or private cloud deployment models, these statements may not be applicable and there
may be the possibility of negotiating the service provided, the information security controls to be
implemented and the agreement for the use of the cloud service.
i
i
i
Figure 1 — Differences and similarities between ICT outsourcing and public cloud
deployment models
5.2 Cloud service threats and associated risks to the cloud service customer
Cloud service customers are responsible and accountable for the information security risks incurred by
the use of information system services offered by external suppliers, including cloud service providers.
Cloud service customers are responsible for evaluating the risk of using a cloud service and deciding
whether to use the service and selecting a specific provider. The risks related to a cloud service differ
depending on the combination of cloud capabilities type, service category and deployment model. While
applicable threats are similar to those related to ICT, the cloud environment changes the consequences
to the cloud service customer that may result from an incident. For example, the “lack of visibility” that a
cloud service customer will have into the provided service means that the customer will have increased
difficulty in determining that an incident is in progress which might delay defensive measures and
remediation. That would, in turn, increase the consequence (and therefore the risk) although the threat
has not changed (e.g. malware attack).
It is essential from the cloud service customer perspective that the risks are dealt with as part of
customer risk assessments. The risk evaluation depends on the assets to be transferred and used in the
cloud service and the significance of those assets to the business.
The risks and threats depend on the factors discussed above and the sector where the cloud service and
deployment model are applied. For example, there may be different risks and threats in the health care
sector compared to the construction sector. Cloud service customers may require different levels of
assurance depending on the risk acceptance criteria of the customer and additionally on the sector the
cloud service and deployment model are applied.
© ISO/IEC 2016 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 27036-4:2016(E)
Cloud service customers have limited control over the location, access, processing and protection of
information placed in the cloud service. Additionally, cloud service customers may not be made aware of
incidents, breaches, failures or other issues affecting the service in a timely manner. The limited control,
coupled with a lack of information about the cloud service performance and security, presents a major
risk of using the cloud service. When making an acquisition decision, the cloud service customer will
need to evaluate these risks in relation to the information to be placed in the cloud and the dependence
of the business on the information and the cloud service.
As most cloud services are not auditable by the cloud service customer, third-party assurance might be
useful to evaluate and possibly reduce risks, provided that the scope of the assurance given by the third
party is relevant for the actual cloud service.
5.3 Cloud service threats and associated risks for public cloud deployment model
The threats and associated risks for a cloud service customer vary among the cloud capabilities types
and deployment model. Typical threats and risks for a public cloud deployment model are depicted in
Table 1.
Table 1 — Typical threats and risks associated with cloud capabilities types in a public cloud
deployment model
Infrastructure Platform capabilities Application capabilities
Typical threats and risks
capabilities type type type
Lack of control on where Where cloud service customer data are stored (integrity, traceability and privacy)
the cloud service customer
data are stored
Unknown access to stored Who has access to or availability of stored cloud service customer data (availability)
cloud service customer
data
Unknown data transmis- How cloud service customer data are communicated (confidentiality, privacy and
sion process integrity)
Unknown superuser, ad- Who has higher privileges (integrity, traceability, confidentiality and privacy)
ministrator or privileged
user access
Lack of protection against Malware, etc. (all aspects) Malware related to Malware related to appli-
malware unsecure platforms (all cations (all aspects)
aspects)
Unknown access rights Not applicable Access and rights through Access and rights through
to cloud service customer administrator rights (con- user rights (confidentiali-
data fidentiality, privacy and ty, privacy and integrity)
integrity)
Lack of log data Not applicable Lack of log data (traceabil- Lack of log data from ap-
ity and integrity) plication (traceability and
integrity)
Unknown integrity of Not applicable Integrity of platforms (all aspects)
platforms
Uncontrolled application Not applicable Not applicable Uncontrolled changes
layer changes (integrity)
Lack of security require- Not applicable Not applicable Lack of security require-
ment in application layer ments in development (all
development aspects)
4 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 27036-4:2016(E)
Table 1 (continued)
Infrastructure Platform capabilities Application capabilities
Typical threats and risks
capabilities type type type
Inability to retrieve cloud Not applicable Not applicable Lack of service or other
service customer data dur- issue, stopping retrieval
ing service provision of cloud service customer
data (availability)
Uncertainty about control Poor understanding of Poor understanding of Poor understanding of
over cloud service custom- ownership of cloud service ownership of cloud service ownership of cloud service
er data during and after customer data such as net- customer data such as customer data such as
service provision work traffic information user information, etc. user information, etc.
(availability) (availability) (availability)
Inability to determine Lack of assurance that Lack of assurance that Lack of assurance that
whether cloud service cloud service customer cloud service customer cloud service customer
customer data have been data (such as processing, data (such as development data (such as applica-
completely deleted at ser- storage or networking versions of applications, tion usage, type of data
vice termination/end usage) have been deleted test data and execution processed and application
(confidentiality and avail- environments) have been user data) have been delet-
ability) deleted (confidentiality ed (confidentiality and
and availability) availability)
NOTE Table 1 indicates where risks occur in a
...
DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 27036-4
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2016-01-05 2016-04-05
Information technology — Security techniques —
Information security for supplier relationships —
Part 4:
Guidelines for security of cloud services
Technologies de l’information — Sécurité d’information pour la relation avec le fournisseur —
Partie 4: Titre manque
ICS: 35.040
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 27036-4:2015(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
©
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2015
---------------------- Page: 1 ----------------------
ISO/IEC DIS 27036-4:2015(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 27036-4
Contents Page
Foreword . vi
Introduction . vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Structure of this International Standard . 2
5 Key cloud concepts and security threats and risks . 2
5.1 Characteristics of cloud computing . 2
5.2 Cloud service threats and associated risks to the cloud service customer . 3
5.3 Cloud service threats and associated risks for public cloud deployment model . 4
5.4 Cloud service threats and associated risks for hybrid cloud deployment model . 5
5.5 Cloud service threats and associated risks for private cloud deployment model . 5
6 Information security controls in cloud service acquisition lifecycle . 5
6.1 Agreement processes . 5
6.1.1 Acquisition process . 5
6.1.2 Supply process . 6
6.2 Organizational project-enabling processes. 7
6.3 Project processes . 7
6.3.1 Project planning process. 7
6.3.2 Project assessment and control process . 7
6.3.3 Decision management process . 7
6.3.4 Risk management process . 7
6.3.5 Configuration management process . 8
6.3.6 Information management process . 8
6.3.7 Measurement process . 8
6.4 Technical processes . 8
6.4.1 Stakeholder requirements definition process . 8
6.4.2 Requirements analysis process . 8
6.4.3 Architectural design process . 8
6.4.4 Implementation process . 8
6.4.5 Integration process . 9
6.4.6 Verification process . 9
6.4.7 Transition process . 9
6.4.8 Validation process . 9
6.4.9 Operation process . 9
6.4.10 Maintenance process . 9
6.4.11 Disposal process . 10
7 Information security controls in cloud service providers . 10
7.1 Overview . 10
7.1.1 Setting information security controls at a cloud service provider . 10
7.2 Public cloud deployment model . 11
7.2.1 Infrastructure capabilities type . 11
7.2.2 Platform capabilities type . 12
7.2.3 Application capabilities type . 12
7.3 Hybrid cloud deployment model . 13
7.4 Private cloud deployment model . 13
Annex A (informative) Information security standards for cloud providers . 14
Annex B (informative) Mapping to ISO/IEC 27017 controls . 17
© ISO/IEC 2015 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 27036-4
Bibliography . 20
iv © ISO/IEC 2015 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 27036-4
© ISO/IEC 2015 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 27036-4
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 27036-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
ISO/IEC 27036 consists of the following parts, under the general title Information technology — Security
techniques — Information security for supplier relationships:
Part 1: Overview and concepts
Part 2: Requirements
Part 3: Guidelines for ICT supply chain security
Part 4: Guidelines for security of cloud services
vi © ISO/IEC 2015 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC DIS 27036-4
Introduction
This International Standard provides guidance to cloud service customers and cloud service providers. Its
application should result in:
Increased understanding and definition of information security in cloud services.
Increased understanding by the customers of the risks associated with cloud services to enhance the
specification of information security requirements.
Increased ability of cloud service providers to provide assurance to customers that they have identified
risks in their service(s) and associated supply chains and have taken measures to manage those risks.
This International Standard is intended to be used by all types of organizations that acquire or supply cloud
services. The standard is intended primarily for risk owners in cloud service customers, who finally accept the
use of the cloud service, and the individual accountable for the cloud service provided by the cloud service
provider. The guidance is primarily focused on the initial link of the first cloud service customer and cloud
service provider, but the principal steps should be applied throughout the chain, starting when the first cloud
service provider changes its role to being a cloud service customer and so on. The manner in which this
change of roles is repeated and the manner in which the same steps are repeated for each new cloud service
customer-cloud service provider link in the chain is central to this standard. By following the guidance
contained within this standard it should be possible to have a seamless linkage of information security
priorities visible across the supply chain. Information security concerns related to supplier relationships cover
a broad range of scenarios. Organizations that wish to improve trust within their cloud service provision should
define their trust boundaries, evaluate the risk associated with their supply chain activities, and then define
and implement appropriate risk identification and mitigation techniques to reduce the risk of vulnerabilities
being introduced through their cloud service provision supply chain.
The ISO/IEC 27001 and ISO/IEC 27002 framework and controls provide a useful starting point for identifying
appropriate requirements for customers and providers. ISO/IEC 27017 and ISO/IEC 27018 provide guidance
on how a cloud service customer and cloud service provider can implement, manage and operate information
security for a cloud service. ISO/IEC 27036 (all parts) provides further detail regarding specific requirements
to be used in establishing and monitoring information security in supplier relationships. This part of the
standard is based upon the premise that a cloud service customer has applied general information security
according to an Information Security Management System (ISMS) (ISO/IEC 27001). As a result, much of the
content is focused on the cloud service provider and depends on the capabilities type, service category and
deployment model of the actual cloud service.
Typically, cloud services are purchased 'as is'; a cloud service customer has no ability to specify or request
changes to the cloud service being purchased. However, in certain cases, the customer has the ability to
specify the service and the detail of that service, including the information security arrangements required of
the supplier. ISO/IEC 27036 is written to cover both of these eventualities. This part of the International
Standard (part 4) is written to cover the first of these eventualities and refers to ISO/IEC 27036 Part 1-3 for
the cases when security arrangements can be specified.
For a cloud service customer this means that when reading this standard it should be noted that it is only
addressing what are cloud service specific security processes and controls. It is assumed all other general
information security processes and controls necessary for the cloud service customer organization are in
place to handle information security in the cloud service to be or being used. The general information security
processes and controls are found in other ISO/IEC standards and in particular ISO/IEC 27036 part 1-3 and
ISO/IEC 27017 and ISO/IEC27018.
© ISO/IEC 2015 – All rights reserved vii
---------------------- Page: 7 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 27036-4
Information technology — Security techniques — Information
security for supplier relationships — Part 4: Guidelines for
security of cloud services
1 Scope
This part of International Standard ISO/IEC 27036 provides cloud service customers and cloud service
providers with guidance on:
a) gaining visibility into the information security risks associated with the use of cloud services and
managing those risks effectively; and
b) responding to risks specific to the acquisition or provision of cloud services that can have an information
security impact on organizations using these services.
This part of ISO/IEC 27036 does not include business continuity management/resiliency issues involved with
the cloud service. ISO/IEC 27031 addresses business continuity.
This part of ISO/IEC 27036 does not provide guidance on how a cloud service provider should implement,
manage and operate information security. Guidance on those can be found in ISO/IEC 27002 and ISO/IEC
27017.
The scope of this International Standard is to define guidelines supporting the implementation of Information
Security Management for the use of cloud services.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
Recommendation ITU-T Y.3500 | ISO/IEC 17788:2014, Information technology — Cloud computing —
Overview and vocabulary Recommendation ITU-T Y.3502 | ISO/IEC 17789:2014, Information technology —
Cloud computing — Reference architecture
1
Recommendation ITU-T X.1631 | ISO/IEC 27017 , Information technology – Security techniques – Code of
practice for information security controls for cloud computing services based on ISO/IEC 27002
ISO/IEC 27036-1, Information technology – Security techniques – Information security in supplier relationships
– Part 1: Overview and concepts
ISO/IEC 27036-2, Information technology – Security techniques – Information security in supplier relationships
– Part 2: Requirements
ISO/IEC 27036-3, Information technology – Security techniques – Information security in supplier relationships
– Part 3: Guidelines for ICT supply chain security
1
To be published.
© ISO/IEC 2015 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO/IEC DIS 27036-4
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27036-1, ISO/IEC 27036-2,
ISO/IEC 27036-3, and “Recommendation ITU-T Y.3500|ISO/IEC 17788 apply.
4 Structure of this International Standard
This International Standard should be used in combination with the other parts within ISO/IEC 27036. This
fourth part should be used as additional guidelines for information security specifically addressing cloud
services. This standard is structured to be harmonized with ISO/IEC 15288 and ISO/IEC 12207. Clause 6
mirrors lifecycle processes provided in those two standards. This International Standard is also harmonized
with ISO/IEC 27017 and provides a mapping of ISO/IEC 27017 information security controls to the life cycle
processes in Annex B (informative).
The documents named in this standard are generic and do not need to be elaborated or be separate
documents. Organizations should use existing documents to integrate cloud service supply chain security.
5 Key cloud concepts and security threats and risks
5.1 Characteristics of cloud computing
According to the definition of cloud computing, underpinning the cloud capabilities types and cloud service
categories are a number of technologies (such as server virtualisation and Service Oriented Architecture) that
enable provision of the service. These cloud services typically use shared resources in which a cloud service
provider can move and process a cloud service customer’s information to deliver the most efficient service at
minimal cost.
ISO/IEC 17788 defines three cloud capabilities types which are typically shared and consumed by many cloud
service customers in supplier relationships. The following are the defined capabilities types:
a) Application
b) Infrastructure
c) Platform.
Within the ISO/IEC 27036 series, the terms ‘acquirer’ is used to indicate a stakeholder that procures a product
or service from another party and an organization; the term ‘supplier’ is used for an individual that enters into
agreement with the acquirer for the supply of a product or service respectively. In this part (ISO/IEC 27036-4),
the terms cloud service customer for the acquirer and cloud service provider for the supplier are used to
differentiate between the roles in supplier relationships and to highlight specific roles regarding cloud services.
There are differences and similarities in acquisition process between public cloud deployment models and ICT
outsourcing as shown in Figure 1. The following highlights differences between use of cloud services based
on the public cloud deployment model and other information services:
a) The cloud service is generally standardized with limited flexibilities for customization so that the cloud
service customers are charged a specific standard fee for that service.
b) The cloud service provider provides the cloud service customers with pre-determined information
security controls.
c) The cloud service provider does not usually accept an audit being conducted by an individual
customer.
d) The cloud service customer’s information security depends on the cloud service provider’s ability to
implement information security in the cloud service for the customer.
2 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC DIS 27036-4
e) The cloud service provider will offer the service to the cloud service customer with a pre-determined
agreement to be used as is without changes.
For hybrid and private cloud deployment models, these statements may not be applicable and there may be
the possibility of negotiating the service provided, the information security controls to be implemented and the
agreement for the use of the cloud service.
Relationship Supplier party
Acquirer party
ICT outsourcing; hybrid
Acquirer organization
Supplier organization
• Sets information security and private cloud
• Offers fulfilment of information
requirements deployment models
security requirements based on
• Communicates requirements
communicated Acquirer
• Negotiates fulfilment in
requirements
agreement
• Offers price
Negotiation
• Determines and accepts
• Negotiates terms and fulfilment
residual risk
• Determines and accepts supply
Both parties
• Signs agreement
risks with the agreement
accept
• Signs agreement
Agreement
Public cloud
Cloud service customer Cloud service provider
deployment model
• Determines security • Determines information
Non-negotiable offer
requirements for security requirements based
Acceptance
information applicable to on service business model
the service • Describe information security
• Evaluate and accept controls
Accepted
residual risk • Offers service level of
“As Is”
• Accept service Yes/No information security
Agreement
• Delivers service when
accepted
Figure 1: Differences and similarities between ICT Outsourcing and public cloud deployment models
5.2 Cloud service threats and associated risks to the cloud service customer
Cloud service customers are responsible and accountable for the information security risks incurred by the
use of information system services offered by external suppliers, including cloud service providers. Cloud
service customers are responsible for evaluating the risk of using a cloud service and deciding whether to use
the service and selecting a specific provider. The risks related to a cloud service differ depending on the
combination of cloud capabilities type, service category and deployment model. While applicable threats are
similar to those in related to ICT, the cloud environment changes the consequences to the cloud service
customer that may result from an incident. For example, the “lack of visibility” that a cloud service customer
will have into the provided service means that the customer will have increased difficulty in determining that an
incident is in progress which might delay defensive measures and remediation. That would in turn increase
the consequence (and therefore the risk) although the threat has not changed (e.g. malware attack).
It is essential from the cloud service customer perspective that the risks are dealt with as part of customer risk
assessments. The risk evaluation depends on the assets to be transferred and used in the cloud service and
the significance of those assets to the business.
The risk and the threats depend on the sector where the cloud service and deployment model are applied and
the level of assurance may be required for cloud service customer to accept the risks. (For example there may
be different requirements in the health care and building sectors).
Cloud service customers have limited control over the location, access, processing and protection of
information placed in the cloud. Additionally, cloud service customers may not be made aware of incidents,
© ISO/IEC 2015 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO/IEC DIS 27036-4
breaches, failures or other issues affecting the service in a timely manner. The limited control, coupled with a
lack of information about the cloud service performance and security presents a major risk of using the cloud.
When making an acquisition decision, the cloud service customer will need to evaluate these risks in relation
to the information to be placed in the cloud and the dependence of the business on the information and the
cloud service.
As most cloud services are not auditable by the cloud service customer, third party assurance might be useful
to evaluate and possibly reduce risks, provided that the scope of the assurance given by the third party is
relevant for the actual cloud service.
5.3 Cloud service threats and associated risks for public cloud deployment model
The threats and associated risks for a cloud service customer may vary among the cloud capabilities types
and deployment model. These threats and risks are depicted in Table 1 for a public cloud deployment model.
Table 1: Typical threats and risks associated with cloud capabilities types in a public cloud
deployment model
Typical threats and
Infrastructure Platform Application
risks
Lack of control on where Where cloud service customer data is stored (integrity, traceability and privacy)
the cloud service
customer data is stored
Unknown access to Who has access to or availability of stored cloud service customer data
stored cloud service (availability)
customer data
Unknown data How cloud service customer data is communicated (confidentiality, privacy and
transmission process integrity)
Unknown superuser, Who has higher privileges (integrity, traceability, confidentiality and privacy)
administrator or
privileged user access
Lack of protection against Malware etc. (all Malware related to Malware related to
malware aspects) unsecure platforms (all applications (all aspects)
aspects)
Unknown access rights to Access and rights Access and rights
cloud service customer through administrator through user rights
data rights (confidentiality, (confidentiality, privacy
privacy and integrity) and integrity)
Lack of log data Lack of log data Lack of log data from
(traceability and integrity) application (traceability
and integrity)
Unknown integrity of Integrity of platforms (all aspects)
platforms
Uncontrolled application Uncontrolled application
changes changes (integrity)
Lack of security Lack of security
requirement in application requirements in
development application development
4 © ISO/IEC 2015 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC DIS 27036-4
(all aspects)
Inability to retrieve cloud Lack of service or other
service customer data issue, stopping retrieval
during service provision of cloud service customer
data (availabilty)
Uncertainty about control Poor understanding of Poor understanding of Poor understanding of
over cloud service ownership of cloud ownership of cloud ownership of cloud
customer data during and service customer data service customer data service customer data
after service provision such as network traffic such as user information such as user information
information (availability) etc (availabilty) etc (availabilty)
Inability to determine Lack of assurance that Lack of assurance that Lack of assurance that
whether cloud service cloud service customer cloud service customer cloud service customer
customer data has been data (such as data (such as data (such as application
completely deleted at processing, storage or development versions of usage, type of data
service termination/end networking usage) has applications, test data processed and
been deleted and execution application user data)
(confidentiality and environments) has been has been deleted
availability) deleted (confidentiality (confidentiality and
and availability) availability)
5.4 Cloud service threats and associated risks for hybrid cloud deployment model
Typical risks and threats listed in 5.3 may apply depending on the service. Even if general security controls
can be applied to a hybrid cloud service, specific cloud service information security may be needed depending
on the service.
5.5 Cloud service threats and associated risks for private cloud deployment model
Typical risks and threats listed in 5.3 may apply depending on the service. These risks can be adjusted by
dialogue between the parties. In this dialogue, the cloud service customer can communicate their
requirements for the private cloud while the cloud service provider can tailor security controls to mitigate
app
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.