Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1472128
54 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S U M M E R 2 0 2 2 To help you be successful in this process, we've identified 16 standards, certifications, audit reports, regulations, attestations, and US and international laws, that firms can use to evaluate how well their native cloud providers are maintaining security compliance. The more of these your vendor meets or complies with, the better positioned they are to "pass through" their compliance to their cloud customers, including your firm. We start with a globally recognized sets of controls. The International Organization for Standardization (ISO) 27000 family of standards helps organizations implement controls and management structures to keep information assets secure, including financial information, intellectual property, employee details, and information entrusted to you by third parties. Four of these "27000-series" standards made our list: 1. ISO 27001 is the best-known standard providing requirements for an Information Security Management System (ISMS). ISO 27001 specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. 2. ISO 27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002, and additional controls with implementation guidance specifically related to cloud services. 3. ISO 27018 establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. 4. ISO 27701 is a privacy extension to ISO/IEC 27001 designed to enhance the existing ISMS with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for PII Controllers and PII Processors to manage privacy controls to reduce the risk to the privacy rights of individuals. The controls in ISO 27701 address many of the requirements in the EU's General Data Protection Regulation (GDPR), so being certified to the ISO 27701 controls becomes a way to help independently validate compliance with GDPR. The United States has several standards and laws that are required by various US-based industries and recognized in other countries as important security benchmarks. The following eight are worth knowing about — and may be important for your specific situation: 5. Service Organization Controls (SOC) reports help companies establish trust and confidence in their service delivery processes and controls. The SOC 2 report provides detailed information and assurance about the controls at a service organization/cloud provider relevant to one or more of the Trust Principles: security, availability, privacy, processing integrity, and confidentiality. A Type 1 SOC 2 audit validates the systems used to process users' data have the appropriate controls in place for the selected Trust principles; a Type 2 SOC 2 audit evaluates the operational effectiveness of the implemented controls. F E A T U R E S