Cloud Security Standards
Here is a non-exhaustive list of some cloud security related standards which are worth memorising.
| Standard | Overview |
|---|---|
| ISO 28000 | Specification of Security Management Systems for the supply chain (including natural disasters). Security management requirements |
| ISO/IEC 27034-1 | Security Techniques - Application Security - ONF+ANF |
| ISO/IECITIL 20000 | IT Service Management |
| ISO/IEC 27018 | Code of practice for PII in public cloud. Acting as PII processors. Privacy in Cloud computing |
| EU Directive 94/46 EC | European Data Protection Directive |
| EU Directive 2022/58 EC | ePrivacy Directive. GDPR article 95 says that this is still supported |
| COPPA | Childrens Online Privacy Protection Rule - requirements for websites that are targetted at < 13 year olds |
| NIST 800-82 | Can apply to Industrial Control Systems (ISC) |
| SAS 70 | Outdated - Auditing |
| SAS 18 | Current AICPA standard from which Service Organizational Control (SOC) reports are dervied |
| ISAE 3402/3400 | International equiveilant of the AICPA SSAE |
| ISO/IEC 270001 | Mandates an ISMS |
| NIST SP 800-53 | List of security controls approved for use by US Gov agencies |
| NIST SP 800-37 | Risk management framework |
| ISO/IEC 27002 | Implementing security controls mapped to an ISMS framework |
| ISO/IEC 27017:2015 | Guidelines for information security controls for cloud services and customers |
| ISO/IEC 27018:2019 | Publically identifiable information (PII) in the cloud |
| ISO 31000:2018 | Risk Management. Designing, implementing & reviewing risk management processes and practices |
| NIST SP 800-32 | Guide for implementing Risk management processes. Relies on automation |
| ENISA | European Union Agency for Network & Information Security - publish a Risk Management/Risk Assessment framework |
| ISO/IEC 15408-1:2009 | Common Criteria Assurance Framework –> assurances for claims by vendors |
| ISO/IEC 21827 | Standard metric for security engineering practices |
| NIST 500-292 | Three layers of cloud service orchestration. Physical, control, service |
| ISO/IEC 27005 | Information security risk management |
| FIPS-1402 | NIST Crypto Modules - not secret data |
| ISO/IEC 17788:2014 | Cloud computing overview |
| ISO/IEC 17789 | Cloud computing - reference architecture |
| NIST SP 500-293 | Cloud technology roadmap |
| ISO/IEC 127013 | Requirements to implement Information Security Management Systems (ISMS) |
| 526-FZ | Russian law - data about russian citizens must be stored in russia |
| GAPP | Generally Accepted Privacy Principles - privacy standard |
| SSAE-16 | Replaces SAS70, focused on auditing methods |
| NIST SP 800-146 | Cloud computing synopsis & recommendations. USA equivelant of ENISA risk document |
| ISO/IEC 24759:2017 | Security techniques — Test requirements for cryptographic modules |
| ISO/IEC 19790:2012 | Security techniques — Security requirements for cryptographic modules |
| ISO/IEC 27050 | Code of practice for electronic discovery(e-discovery) |
| ISO/IEC 27015:2012 | Information security management guidelines for financial services |
This post is licensed under CC BY 4.0 by the author.