ISO/IEC 27001 : 2022 附录 A 5.23 使用云服务的信息安全
ISO 27001:2022 附录 A 5.23 的目的
ISO 27001:2022 附录 A 5.23 是一项新的控制措施,概述了与组织独特的信息安全要求相关的获取、使用、管理和退出云服务所需的流程。
附件 A 控制 5.23 允许组织以“云服务客户”的身份,首先指定然后随后管理和管理与云服务相关的信息安全概念。
附录 A 5.23 是一种预防性控制措施,通过指定在商业云服务领域内管理信息安全的政策和程序来保持风险。
鉴于并非所有云服务都是特定于ICT的(尽管可以合理地断言大多数云服务都是ICT专用的),附录A控制5.23的所有权应根据当时的运营情况在组织的首席技术官或首席运营官之间分配。
Guidance on ISO 27001:2022 Annex A Control 5.23 – Organisational Obligations
ISO 27001:2022 附录 A 控制 5.23 – 组织义务指南
Compliance with Control 5.23 involves adhering to what’s known as a ‘topic-specific’ approach to cloud services and information security.
遵守控制 5.23 涉及遵守所谓的“特定主题”云服务和信息安全方法。
Given the variety of cloud services on offer, topic-specific approaches encourage organisations to create cloud services policies that are tailored towards individual business functions, rather than adhering to a blanket policy that applies to information security and cloud services across the board.
鉴于提供的云服务种类繁多,特定主题的方法鼓励组织创建针对单个业务功能量身定制的云服务策略,而不是全面遵守适用于信息安全和云服务的一揽子策略。
It should be noted that ISO considers adherence to Annex A Control 5.23 as a collaborative effort between the organisation and their cloud service partner. Annex A Control 5.23 should also be closely aligned with Controls 5.21 and 5.22, which deal with information management in the supply chain and the management of supplier services respectively.
应该注意的是,ISO 认为遵守附录 A 控制 5.23 是组织与其云服务合作伙伴之间的协作努力。附件A控制5.23也应与控制5.21和5.22密切配合,后者分别涉及供应链中的信息管理和供应商服务管理。
However an organisation chooses to operate, Annex A Control 5.23 should not be taken in isolation and should complement existing efforts to manage supplier relationships.
无论组织选择如何运作,附件A控制措施5.23都不应孤立地看待,而应补充现有的供应商关系管理工作。
With information security at the forefront, the organisation should define:
在信息安全处于最前沿的情况下,组织应定义:
Any relevant security requirements or concerns involved in the use of a cloud platform.
使用云平台时涉及的任何相关安全要求或问题。
The criteria involved in selecting a cloud services provider, and how their services are to be used.
选择云服务提供商所涉及的标准,以及如何使用他们的服务。
Granular description of roles and relevant responsibilities that govern how cloud services areto be used across the organisation.
详细描述角色和相关职责,这些角色和职责控制如何在整个组织中使用云服务。
Precisely which information security areas are controlled by the cloud service provider, and those that fall under the remit of the organisation themselves.
确切地说,哪些信息安全领域由云服务提供商控制,哪些领域属于组织自己的职权范围。
The best ways in which to first collate then utilise any information security-related service components provided by the cloud service platform.
首先整理然后利用云服务平台提供的任何与信息安全相关的服务组件的最佳方式。
How to obtain categorical assurances on any information security-related controls enacted by the cloud service provider.
如何获得对云服务提供商制定的任何与信息安全相关的控制措施的明确保证。
The steps that need to be taken in order to manage changes, communication and controls across multiple distinct cloud platforms, and not always from the same supplier.
为了管理跨多个不同云平台的变更、通信和控制而需要采取的步骤,而并不总是来自同一供应商。
Incident Management procedures that are solely concerned with the provision of cloud services.
仅与提供云服务有关的事件管理程序。
How the organisation expects to manage its ongoing use and/or wholesale adoption of cloud platforms, in-line with their broader information security obligations.
组织期望如何管理其对云平台的持续使用和/或大规模采用,以符合其更广泛的信息安全义务。
A strategy for the cessation or amendment of cloud services, either on a supplier-by-supplier basis, or through the process of cloud to on-premise migration.
停止或修改云服务的策略,可以逐个供应商,也可以通过云到本地迁移的过程。
Guidance on Annex A Control 5.23 – Cloud Services Agreements
关于附件 A 控制 5.23 – 云服务协议的指南
Annex A Control 5.23 acknowledges that, unlike other supplier relationships, cloud service agreements are rigid documents that aren’t amendable in the vast majority of cases.
附录 A 控制 5.23 承认,与其他供应商关系不同,云服务协议是僵硬的文件,在绝大多数情况下不可修改。
With that in mind, organisations should scrutinise cloud service agreements and ensure that four main operational requirements are met:
考虑到这一点,组织应仔细审查云服务协议,并确保满足四个主要运营要求:
Confidentiality. 保密性。
Security/data integrity.
安全性/数据完整性。
Service availability. 服务可用性。
Information handling. 信息处理。
As with other supplier contracts, prior to acceptance, cloud service agreements should undergo a thorough risk assessment that highlights potential problems at source.
与其他供应商合同一样,在接受之前,云服务协议应进行彻底的风险评估,从源头上突出潜在问题。
At a bare minimum, the organisation should enter into a cloud services agreement only when they are satisfied that the following 10 provisions have been met:
至少,只有当组织确信满足以下 10 项规定时,才应签订云服务协议:
Cloud services are provisioned and implemented based on the organisation’s unique requirements relating to their area of operation, including industry accepted standards and practices for cloud-based architecture and hosted infrastructure.
云服务的配置和实施基于组织与其运营领域相关的独特要求,包括基于云的架构和托管基础设施的行业公认标准和实践。
Access to any cloud platforms meet the border information security requirements of the organisation.
对任何云平台的访问都符合组织的边境信息安全要求。
Adequate consideration is given to antimalware and antivirus services, including proactive monitoring and threat protection.
充分考虑了反恶意软件和防病毒服务,包括主动监视和威胁防护。
The cloud provider adheres to a predefined set of data storage and processing stipulations, relating to one or more distinct global regions and regulatory environments.
云提供商遵守一组预定义的数据存储和处理规定,这些规定与一个或多个不同的全球区域和监管环境有关。
Proactive support is provided to the organisation, should the cloud platform suffer a catastrophic failure or information security-related incident.
如果云平台遭受灾难性故障或与信息安全相关的事件,则为组织提供主动支持。
If the need arises to sub-contract or otherwise outsource any element of the cloud platform, the supplier’s information security requirements remain a constant consideration.
如果需要分包或以其他方式外包云平台的任何元素,供应商的信息安全要求仍然是一个持续的考虑因素。
Should the organisation require any assistance in collating digital information for any relevant purpose (law enforcement, regulatory alignment, commercial purposes), the cloud services provider will support the organisation as far as is possible.
如果组织在为任何相关目的(执法、监管调整、商业目的)整理数字信息方面需要任何帮助,云服务提供商将尽可能为组织提供支持。
At the end of the relationship, the cloud service provider should provide reasonable support and appropriate availability during the transition or decommissioning period.
在关系结束时,云服务提供商应在过渡或退役期间提供合理的支持和适当的可用性。
The cloud service provider should operate with a robust BUDR plan that is focused on carrying out adequate backups of the organisation’s data.
云服务提供商应采用强大的 BUDR 计划,该计划专注于对组织的数据进行充分的备份。
The transfer of all relevant supplementary data from the cloud services provider to the organisation, including config information and code that the organisation has a claim to.
将所有相关的补充数据从云服务提供商传输到组织,包括组织有权声明的配置信息和代码。
Supplementary Information on Annex A Control 5.23
关于附件A控制措施5.23的补充资料
In addition to the above guidance, Annex A Control 5.23 suggests that organisations form a close working relationship with cloud service providers, in accordance with the important service they provide not only in information security terms, but across an organisation’s entire commercial operation.
除上述指南外,附录 A 控制 5.23 还建议组织与云服务提供商建立密切的工作关系,根据他们提供的重要服务,不仅在信息安全方面,而且在组织的整个商业运营中。
Organisations, where possible, should seek out the following stipulations from cloud service providers to improve operational resilience, and enjoy enhanced levels of information security:
在可能的情况下,组织应向云服务提供商寻求以下规定,以提高运营弹性,并享受更高的信息安全级别:
All infrastructure amendments should be communicated in advance, to inform the organisation’s own set of information security standards.
所有基础设施的修订都应提前传达,以告知组织自己的一套信息安全标准。
The organisation needs to be kept informed of any changes to data storage procedures that involve migrating data to a different jurisdiction or global region.
组织需要随时了解数据存储程序的任何变化,这些变化涉及将数据迁移到不同的司法管辖区或全球区域。
Any intention on the part of the cloud service provider to utilise “peer cloud” providers, or outsource areas of their operation to subcontractors that may have information security implications for the organisation.
云服务提供商利用“对等云”提供商,或将其运营领域外包给可能对组织产生信息安全影响的分包商的任何意图。
