Cloud Security Policy: Ultimate Guide

Introduction

In this ultimate guide I show you everything you need to know about the ISO 27001 Cloud Security Policy and exactly what you need to do to satisfy it to gain ISO 27001 certification.

We will get to grips with what cloud security is, understand why organisations need a Cloud Security Policy, show you how to write one, and let you in on trade secret’s that’ll save you hours of time and effort, simply by using this template. 

I am Stuart Barker: founder of High Table, Information Security expert and ISO 27001 Ninja, and this is the ISO 27001 Cloud Security Policy.

What is a Cloud Security Policy?

The cloud security policy sets out the guidelines and the framework for how you manage your cloud suppliers ensuring that they are secure.

This cloud security policy covers information security as it relates to your cloud suppliers and it is a new control in the 2022 update of the ISO 27001 standard – ISO27001:2022.

ISO 27001 Cloud Security Template

The Cloud Security Policy Template is part of the Ultimate ISO 27001 Toolkit and also exclusively available stand-alone. It is prewritten, fully populated and ready to go and fully complies with ISO27001:2022.

What is the Purpose of the ISO 27001 Cloud Security Policy?

The purpose of the ISO 27001 Cloud Security Policy is to ensure that your cloud suppliers are meeting your requirements for information security and also meeting their legal and regulatory obligations.

What is the ISO 27001 Cloud Security Principle?

That third party cloud suppliers fully meet the requirements for information security and protect your and your customers data.

Why is the ISO 27001 Cloud Security Policy Important?

Business and organisations rely heavily on cloud service providers. Whilst many of these are big names and big players in the market there are also smaller cloud service providers.

It may well be that we do not have any influence over the cloud supplier and much of the guidance in the ISO 27001 standard and the annex a control would in fact not be possible to implement with them it is still important that we understand, identify, manage and mitigate any risks that there maybe to our information security.

The cloud security policy sets out clearly what our approach to cloud providers is and where we do have an influence what our approach will be.

What should the ISO 27001 Cloud Security Policy Contain?

The ISO 27001 Cloud Security Policy is required to be presented in a certain way. What we mean by that is that the policy is expected to have certain document markup. Document mark up is just a fancy words for having certain information on the policy. It will need version control, a version number, an owner, an information security classification. An example ISO 27001 Cloud Security Policy table of contents would look something like this:

Document Version Control
Document Contents Page
Cloud Service Policy
Purpose
Scope
Principle
Third Party Supplier Register
Cloud Service Information Security Requirements
Cloud Service Audit and Review
Cloud Service Supplier Risk Management
Cloud Service Supplier Selection
Cloud Service Supplier Contracts, Agreements and Data Processing Agreements
Cloud Service Supplier Security Incident Management
Cloud Service Supplier End of Contract
Changes to Cloud Service Supplier
Policy Compliance
Compliance Measurement
Exceptions
Non-Compliance
Continual Improvement

How to write a Cloud Security Policy

Watch

Watch How to write a Cloud Security Policy in Under 10 Minutes

Implementation Summary Steps

1. Purpose: The purpose of the policy is to manage information security for the use of cloud services.
2. Scope: All employees and third party users, all third-party Cloud suppliers that process, store or transmit confidential or personal data.
3. Principle: Third party Cloud suppliers meet the requirements of the company legislation and the regulation for data security.
4. Third party supplier register: All cloud services are registered and recorded in the third party supplier register. Cloud services are assessed for criticality to the business and classified based on the data a process stored or transmitted.
5. Cloud service information security requirements: Cloud service suppliers should hold a relevant information security certification that covers the services that they provide.
6. Cloud service audit and review: Cloud service suppliers are subject to audit and review of data security in line with the third-party audit and review process.
7. Cloud service supplier risk management: Every cloud service supplier is to be entered onto the risk register and manage via risk management.
8. Cloud service supplier selection: Cloud service suppliers are selected based on their ability to meet the needs of the business before engaging a cloud service supplier data security due diligence is carried out.
9. Cloud service supplier contracts and agreements: An appropriate contract agreement and/or data processing agreement must be in place and enforceable before engaging with a cloud service supplier to process store or transmit confidential or personal information.
10. Cloud service supplier Incident Management: Cloud service supplier must have a security Incident Management process in place.
11. Cloud service supplier end of contract: At the end of the contract, the cloud supplier will confirm in writing that he has met the contractual and legal obligations for the destruction of company confidential and personal information.
12. Changes to cloud service supplier: Changes to the cloud service supplier require the formal written documented approval of the CEO.

Contents Page

First we are going to look at the contents. As we go through the creation of our policy we are going to look at

• the purpose
• the scope
• the principle
• we’re going to look at the third party supplier register
• the cloud service information security requirements
• the cloud service audit and review
• the supplier risk management
• supplier selection
• we’re going to look at agreements
• we’re going to look at supplier security incident management
• we are going to look at the service supplier end of contract and
• changes to the cloud supplier service and
• we are then going to look at policy compliance.

Third Party Supplier Policy

You can create this a hell of a lot faster if you already have the ISO 27001 Third Party Supplier Policy.

This is basically third party supplier management.

The changes to the ISO 27001:2022 standard decided that you know what, we’re going to introduce something specific to cloud, and then – you’ll see in a moment – but there isn’t anything you can do about it!

Cloud Security Policy Purpose

So, cloud service policy purpose. The purpose of the policy is to manage information security for the use of cloud services.

Cloud Security Policy Scope

Scope is all employees and third party users and all third-party cloud suppliers that process, store or transmit confidential or personal data.

Cloud Security Policy Principle

The principle is third party cloud suppliers meet the requirements of the company, legislation and the regulation for data security.

Predefined Cloud Agreements

It is my recommendation that in your policy, in line with the ISO 27001 guidance, the ISO 27001 Annex A 5.23 Information Security For Use Of Cloud Services guidance, cloud service agreement are often predefined and do not and are not open to negotiation.

I would state that your cloud service providers fall into this category.

Write that you acknowledge the fact that the cloud providers that you have, have contracts that are non-negotiable.

The standard allows for it. Our policy is that we acknowledge it.

Now, if that’s not the case then you make your amendments but that’s what we’re going to work with.

Third Party Supplier Register

We’re going to look at the third party supplier register. So, our policy is that all cloud services are registered and recorded in the third party supplier register.

Cloud services are assessed for criticality to the business, cloud services are classified based on the data processed, stored or transmitted.

In addition the following is captured as a minimum

• cloud services name and contact details
• what they do for us
• what data they process store or transmit
• whether we have a contract and a copy of that contract
• and what assurances we have for their data security.

This is the third party supplier register, the completion of it.

Yes, there is a template on hightable.io – go check out the third party supplier template.

Our policy is that we complete our third party supplier register and cloud service information security requirements.

Cloud Service Provide Security Assurance

It is our policy that cloud service suppliers should hold a relevant information security certification that covers the services that they provide to us.

As a minimum they should have an ISO 27001 certification, or a SOC 2 Type 2 Certificate.

We’re placing reliance on the work of other people.

Cloud Service Audit and Review

For our policy cloud service suppliers are subject to audit and review of data security in line with the third party audit and review process. We have a third party management process already. We are going to subject our cloud suppliers to that.

The level of audit and review is based on Cloud Service Supplier Selection risk.

Cloud Service Supplier Risk Management

Every cloud service supplier is to be entered onto the risk register and managed via risk
management.

Cloud Service Supplier Selection

Cloud service suppliers are selected based on their ability to meet the needs of the business.

Before engaging a cloud service supplier data security due diligence is carried out that includes an acceptable level of data security with identified recorded and managed risks.

Cloud Service Supplier Contracts

Appropriate supplier agreements and contracts that include data security requirements and legal and
Regulatory Compliance are in place.

Agreements and data processing agreements are in place. An appropriate contract agreement and/or data processing agreement must be in place and enforceable before engaging with a cloud service supplier to process store or transmit confidential or personal information.

Cloud service supplier contracts and agreements include the right to audit where appropriate, practicable and allowable. It is acknowledged that this is usually not the case.

All company policies apply to the use of the cloud service supplier.

Cloud Service Supplier Incident Management

Cloud service suppliers must have a security Incident Management process in place.

Cloud service supplier security incidents that impact confidential or personal information must reported within 12 hours elapsed of becoming aware of the incident.

Cloud service supplier security incidents are managed as part of the Incident Management Process.

Where appropriate the cloud service supplier Incident Management process is followed.

Cloud Service Supplier End of Contract

At the end of the contract where appropriate, practicable and relevant the cloud supplier will confirm in writing that they have met the contractual and legal obligations for the destruction of company confidential and personal information.

All access to all access to systems and information is revoked.

Cloud Service Supplier Changes

Changes to the cloud service supplier require the formal written documented approval of the CEO.

Changes would follow the change management policy and the change management process.

Changes to Cloud suppliers are significant changes and not to be taken lightly. This would be a significant
change requiring a significant project with all of the associated resources risk management and project management.

Compliance Section

And then within our policy as we complete our policy we can see that we have the compliance section that is covered on other tutorials.

ISO 27001 Cloud Security Policy Example

This is a great example of the cloud security policy. Taking the first 3 pages being the contents of what it includes.

What are the benefits of ISO 27001 Cloud Security Policy?

Other that your ISO 27001 certification requiring the following are benefits of having the ISO 27001 Cloud Security Policy :

1. Improved security: You will have assurance that the cloud supplier is protecting your and your customers data and meeting their contractual, legal and regulator obligations for information security
2. Reduced risk: Ensuring that the cloud provider has good information security will reduce the risk of attack and exploit
3. Improved compliance: Standards and regulations require third party suppliers and cloud suppliers to be secure and that you are managing and securing your supply chain
4. Reputation Protection: In the event of a breach having effective cloud provider management will reduce the potential for fines and reduce the PR impact of an event

Who is responsible for the ISO 27001 Cloud Security Policy?

The head of IT is responsible for the  ISO 27001 Cloud Security Policy.

Who is responsible for implementing the ISO 27001 Cloud Security Policy?

The IT department are responsible for implementing and managing the requirements of the ISO 27001 Cloud Security Policy.

How do you monitor the effectiveness of the ISO 27001 Cloud Security Policy?

The approaches to monitoring the effectives of cloud supplier security include:

1. Obtaining relevant industry information security certificates
2. Internal audit of the supplier management process
3. External audit of the management process
4. Review of cloud provider service and technical reports

What are examples of a violation of the Cloud Security Policy?

Examples of where the policy can fail or violations of the ISO 27001 Cloud Security Policy can include:

• Not having contracts in place with cloud providers
• Having contracts in place but they do not cover information security requirements
• Not being able to get information security assurance for cloud providers
• Not addressing cloud providers as part of risk management

What are the consequences of violating the ISO 27001 Cloud Security Policy?

Not managing cloud suppliers and their information security responsibilities can have severe consequences for information security and the confidentiality, integrity and availability of data and systems. 

The consequences could be legal and regulatory fines and / or enforcement, loss of data, loss of revenue, loss of clients and customers, negative PR.

How often is the Cloud Security Policy reviewed?

The Cloud Security Policy is reviewed after any significant change that affects cloud providers or cloud services  and at least annually.

ISO 27001 and the ISO 27001 Cloud Security Policy

The following are ISO 27001 controls relevant to cloud security to consider for further reading:

ISO 27001 Annex A 5.23 Information Security For Use Of Cloud Services.

Summary

When it comes to our cloud service supplier, we are treating them as we would any other third party. We are acknowledging in our policy straight away that while we have a policy it is overridden by the contract and the agreement of the cloud service provider.

Now, we know in reality you are going to have no leeway with AWS or any of the major Cloud providers. For you to go to them and say I require a dedicated account manager, I require you to do this, they just ain’t going to do it, right, so, what do we do?

We ensure the best practices of third party supplier management are in place. We have a generic policy that covers cloud service providers in general and we say though – if the agreement doesn’t allow for it
and in line with the requirement and guidance of the standard then we accept it.

Conclusion

That is a run through of the cloud service policy the cloud security policy for ISO27001: 2022. For other videos and tutorials on how you meet the requirements of ISO 27001 Annex A look at the
ISO 27001 Annex A Reference Guide.