ISO/IEC 27036-4
ISO/IEC 27036–4:2016 — Information security — Security techniques — Information security for supplier relationships — Part 4: Guidelines for security of cloud services
(first edition)
Abstract
ISO/IEC 27036 part 4 “provides cloud service customers and cloud service providers with guidance on (a) gaining visibility into the information security risks associated with the use of cloud services and managing those risks effectively, and (b) responding to risks specific to the acquisition or provision of cloud services that can have an information security impact on organizations using these services.
[Part 4] does not include business continuity management/resiliency issues involved with the cloud service.
ISO/IEC 27031 addresses business continuity.
[Part 4] does not provide guidance on how a cloud service provider should implement, manage and operate information security.
Guidance on those can be found in ISO/IEC 27002 and ISO/IEC 27017.
The scope of [part 4] is to define guidelines supporting the implementation of information security management for the use of cloud services”
[Source: ISO/IEC 27036-4:2016]
Introduction
There are numerous information risks involved in the supply of cloud computing services: this standard encourages suppliers and customers to identify and address them, collaboratively in some cases.
Scope
Part 4 guides the suppliers and customers of cloud services on information security management for cloud services.
Structure
Main sections:
5: Key cloud concepts and security threats and risks
6: Information security controls in cloud service acquisition lifecycle
7: Information security controls in cloud service providers
Annex A: Information security standards for cloud providers
Annex B: Mapping to ISO/IEC 27017 controls
Status
The current first edition of part 4 was published in 2016 and confirmed unchanged in 2022.
Commentary
Part 4 explicitly describes the information risks that it addresses. Full marks! Various security controls are recommended to mitigate unacceptable risks, so in order to choose appropriate controls it helps to know what those risks are.