How to handle cloud security threats using ISO 27001

Cloud security threats can have significant impacts on the modern business world. A misconfigured system can allow unauthorized access to critical servers and unauthorized transfer of sensitive data, and poor password policies and lack of alternative infrastructure can render information useless or unavailable, leading to serious consequences for businesses, such as legal proceedings, financial losses, increased operational and insurance costs, damage to business competitiveness, and harm to organizational reputation.

To mitigate these risks, organizations should implement robust security controls, such as those outlined in ISO 27001, the leading international standard on Information Security Management Systems, particularly in managing supplier relationships and monitoring service agreements.

Security controls covering cloud security in ISO 27001:
  • A.5.20 Addressing information security within supplier agreements
  • A.5.21 Managing information security in the ICT supply chain
  • A.5.22 Monitoring, review, and change management of supplier service
  • A.5.23 Information security for use of cloud services

Cloud security threats

Cloud security threats in the context of information security are potential causes of incidents that can endanger information confidentiality, integrity, or availability in cloud environments. Such threats can be a natural consequence of the processes or introduced manually, whether intentionally or by accident.

Threats can be associated with risks to information through the concept of asset-based risk assessment, a process to identify and evaluate risks of a threat agent acting against an asset (e.g., cloud services, platforms, or infrastructure), by exploiting its vulnerabilities. Examples of cloud security threats include:

  • fault in software
  • untested backup
  • weak authentication
  • lack of documentation
  • lack of competent staff
  • misconfiguration
  • poor access management
  • insider threats
  • unsecured APIs
  • software not updated
  • lack of encryption
  • unauthorized access
  • compliance violations
  • hacker attacks
  • supply chain failure
  • resource exhaustion (DDoS attacks)
  • inadequate isolation between tenants

Cloud security

Cloud security refers to the practices implemented to work together to protect data, applications, and infrastructure in cloud computing environments, to ensure the confidentiality, integrity, and availability of data and services in the cloud.

Examples of such practices are policies, procedures, and technologies related to access control, encryption, network security, identity and access management, vulnerability management, and incident response.

Addressing cloud security threats with ISO 27001

As a quick overview, ISO 27001 is the ISO standard that describes how to manage information security in an organization, through the application of management practices and security controls, several of them applicable to cloud security to protect information confidentiality, integrity, and availability.

By performing a risk assessment and treatment process, and identifying applicable legal requirements (e.g., laws, regulations, and contracts), ISO 27001 can help organizations increase cloud robustness to attacks in the following ways:

Control Rationale Documentation Additional references
A.5.20 Addressing information security within supplier agreements By establishing and agreeing on relevant information security requirements, an organization can require cloud providers to implement and maintain proper security controls to protect their information and availability of services.

These clauses are the basis for the provider’s implementation of organizational, people, physical, and technological controls as described in ISO 27001 Annex A.

Confidentiality Statement How to identify ISMS requirements of interested parties in ISO 27001

6-step process for handling supplier security according to ISO 27001

Which security clauses to use for supplier agreements?

A.5.21 Managing information security in the ICT supply chain By defining and implementing processes and procedures to manage the information security risks related to information and communication technologies and supply chain, an organization can ensure that its cloud provider and its supply chain handle its security requirements properly. Supplier Security Policy ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide
A.5.22 Monitoring, review, and change management of supplier service By regularly monitoring, reviewing, evaluating, and managing changes on the services of their cloud providers, organizations can minimize the risk of required security levels not being maintained. Supplier Security Policy How to perform monitoring and measurement in ISO 27001
A.5.23 Information security for use of cloud services By managing the cloud services lifecycle, i.e., through acquisition to exit, organizations can ensure that cloud providers clearly understand and fulfill their responsibilities before, during, and after working with the organization’s information. This control basically requires organizations to consider cloud security aspects in all processes and relations with suppliers. Supplier Security Policy

Improve cloud services value while handling related threats with ISO 27001

With proper planning and management, a cloud service provider can improve its control over cloud resources, segregating them at levels that will allow the right allocation of resources without letting information go unprotected.

Additionally, by proactively implementing security measures, an organization can become a more trustworthy partner to its customers, gaining a competitive advantage, by offering proper security levels considering their customers’ needs.

By adopting ISO 27001, a cloud service provider can achieve more efficient and secure operations and improve the market’s perception of its security posture in a systematic way that has already been proven on a globally recognized scale

To automate handling cloud security threats using ISO 27001, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal

Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
Read more articles by Rhand Leal