1 / 11

Certifying Information Security in the Cloud Madrid 18 th September 2013

Learn how to manage information security in the cloud with ISO 27001, the international standard for information security. Discover the benefits of the ISO 27001 standard and how it can help organizations in the cloud. Gain insights into the Cloud Controls Matrix and how it fills the gaps in industry-specific concerns. Increase security, trust, and assurance in cloud services.

lynnd
Download Presentation

Certifying Information Security in the Cloud Madrid 18 th September 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certifying Information Security in the CloudMadrid 18th September 2013 Tom Nicholls – BSI

  2. About BSI • Thought Leaders: Shaped the world’s most adopted standards, incl. ISO 9001, ISO 14001, OHSAS 18001 and ISO 27001. • Global Network: 70,000 clients in 150 countries worldwide including governments, global brands and SME’s. • Leading Global Standards Creation Body: British, European, ISO, Public, Private. • The UK National Standards Body:The source of British Standards. • Specialist Focus on Standards Creation, Training and Certification.

  3. ISO 27001 • ISO 27001 is the international standard for information security. • It was developed from BS 7799. • There are over 17,500 organisations certified globally in over 120 countries. • A new version of the standard is due out soon. Source – ISO survey 2011

  4. How does it work? • It is a management systems standard – it outlines the processes and procedures an organisation must have in place to manage Information Security issues in core areas of the business. • The standard does not stipulate exactly how the process should operate. Context Performance Monitoring Leadership Planning Improvement Risk Assessment Operation Support Select Controls

  5. Risk Assessment and Controls • As part of the planning area the client must conduct a risk assessment and identify the appropriate controls. • There is a suggested list of controls in an Annex to ISO 27001 (written in 2005) • But ,‘The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and controls may be needed’ Range of organisations to be covered: • Atomic Power Plant • Exam Marking Company • A Large Bank

  6. Criticisms – that other people have voiced… • ISO 27001 is updated every 8 years – the controls become obsolete faster than that. • It is a one size fits all standard but there are some industry specific concerns it does not cover. • Any standard can become a lowest common denominator. • People can certify any scope they like within their organisation. • There are a number of frameworks and control list out their but there are several reason by BSI chose to work with CSA and their CCM. This is where the CSA’s Cloud Controls Matrix fill a need.

  7. Strengths of the CCM and the CSA approach • It works with other standards • ISO 27001, COBIT, HIPAA, NIST SP800-53, FedRamp, PCI, BITS, GAPP, Jericho Forum, NERC CIP. • It was written with the intention to make it publically available. • It will be updated to keep pace with changes. • Wants to drive continuous improvement…

  8. Management Capability (Maturity) Scores • This audit approach would bring the objective of continual improvement front and centre. • It would allay the risk of standards becoming the lowest common denominator. • It would help drive attention on the management system and prevent certification becoming the end of the journey. • Maturity models are not new (especially in the IT sector). • But 3rd party auditing of them is less common. • TICKIT Plus has it, BSI has done it, and I expect it to become more wide spread

  9. Conclusion Core system required to manage information Security Focused on areas critical to cloud computing With an auditable framework to assess maturity Increase Security, Trust and Assurance in Cloud Services

More Related