Cloud Security Standards

Here is a non-exhaustive list of some cloud security related standards which are worth memorising.

ISO 28000Specification of Security Management Systems for the supply chain (including natural disasters). Security management requirements
ISO/IEC 27034-1Security Techniques - Application Security - ONF+ANF
ISO/IECITIL 20000IT Service Management
ISO/IEC 27018Code of practice for PII in public cloud. Acting as PII processors. Privacy in Cloud computing
EU Directive 94/46 ECEuropean Data Protection Directive
EU Directive 2022/58 ECePrivacy Directive. GDPR article 95 says that this is still supported
COPPAChildrens Online Privacy Protection Rule - requirements for websites that are targetted at < 13 year olds
NIST 800-82Can apply to Industrial Control Systems (ISC)
SAS 70Outdated - Auditing
SAS 18Current AICPA standard from which Service Organizational Control (SOC) reports are dervied
ISAE 3402/3400International equiveilant of the AICPA SSAE
ISO/IEC 270001Mandates an ISMS
NIST SP 800-53List of security controls approved for use by US Gov agencies
NIST SP 800-37Risk management framework
ISO/IEC 27002Implementing security controls mapped to an ISMS framework
ISO/IEC 27017:2015Guidelines for information security controls for cloud services and customers
ISO/IEC 27018:2019Publically identifiable information (PII) in the cloud
ISO 31000:2018Risk Management. Designing, implementing & reviewing risk management processes and practices
NIST SP 800-32Guide for implementing Risk management processes. Relies on automation
ENISAEuropean Union Agency for Network & Information Security - publish a Risk Management/Risk Assessment framework
ISO/IEC 15408-1:2009Common Criteria Assurance Framework –> assurances for claims by vendors
ISO/IEC 21827Standard metric for security engineering practices
NIST 500-292Three layers of cloud service orchestration. Physical, control, service
ISO/IEC 27005Information security risk management
FIPS-1402NIST Crypto Modules - not secret data
ISO/IEC 17788:2014Cloud computing overview
ISO/IEC 17789Cloud computing - reference architecture
NIST SP 500-293Cloud technology roadmap
ISO/IEC 127013Requirements to implement Information Security Management Systems (ISMS)
526-FZRussian law - data about russian citizens must be stored in russia
GAPPGenerally Accepted Privacy Principles - privacy standard
SSAE-16Replaces SAS70, focused on auditing methods
NIST SP 800-146Cloud computing synopsis & recommendations. USA equivelant of ENISA risk document
ISO/IEC 24759:2017Security techniques — Test requirements for cryptographic modules
ISO/IEC 19790:2012Security techniques — Security requirements for cryptographic modules
ISO/IEC 27050Code of practice for electronic discovery(e-discovery)
ISO/IEC 27015:2012Information security management guidelines for financial services
This post is licensed under CC BY 4.0 by the author.