CCM-IsO Reverse Mapping and Gap Analysis FINAL

Description
This document aims to help organizations assess and bridge compliance gaps
between the cloud security frameworks of ISO/IEC and the Cloud Security
Alliance (CSA). The document contain mappings and gap analysis of ISO/IEC
27002, 27017 and 27018 to the Cloud Controls Matrix (CCM). The mappings and
gap analysis of ISO/IEC 27002 to CCM are provided in the tabs A.5 - A.18. There
are no tabs for A.1 - A.4. The mappings and gap analysis to ISO/IEC 27017 and
27018 are provided in the last 2 tabs. The CSA and the CCM working group hope
that organizations will find this document useful for their cloud security compliance
programs.
The work was completed on May 18th, 2018 by volunteers in the CSA's CCM
Working Group who are acknowledged below. If you would like to volunteer in the
working group, please sign up here: https://cloudsecurityalliance.org/group/cloud-
controls-matrix/#_join
Acknowledgements
Leadership
Ai Ping Foo
Ahmed Maaloul
Sean Cordero
Contributors
Ai Ping Foo
Adnan Dakhwe
Ahmed Maaloul
Angela Dogan
Alejandro del Rio Betancourt
Bunmi Ogun
Chris Sellards
Chris Shull
Eric Tierling
Eleftherios Skoutaris
Josep Bardallo
Kazuki Yonezawa
Kelvin Arcelay
Madhav Chablani
Masashiro Morozumi
Mariela Rengel
Mohin Gulzar
Muswagha Katya
Noutcha Gilles
Puneet Thapliyal
Shahid Sharif
Saraj Mohammed
Victor Chin
W. M. Reid Leake
William Butler
CSA Staff
Victor Chin
ISO 27002
A.5 Information Security Po
A.5.1 - Management direction for infor

Objective: To provide management direction and support for information security in accorda
ID Control Control Description
A set of policies for information security shall

Policies for
be defined, approved by management,
5.1.1 information
published and communicated to employees
security
and relevant external parties.
The policies for information security shall be

Review of the policies
reviewed at planned intervals or if significant
5.1.2 for information
changes occur to ensure their continuing
security
suitability, adequacy and effectiveness.
© Copyright 2018, Cloud Security Alliance. All rights reserved
ISO 27002
A.5 Information Security Policies
anagement direction for information security

r information security in accordance with business requirements and relevant laws and regulations.
Is this a FULL, IF NO OR PARTIAL GAP

PARTIAL or exist, to which CCM Control
NO Gap? is this control linked to?
No Gap GRM-06
GRM-08
No Gap
GRM-09
y
ss requirements and relevant laws and regulations.
AND IF PARTIAL GAP exist, what is the gap

analysis?
Objective: To establish a management fram
ID Control
Information security
6.1.1
roles and responsibilities
6.1.2 Segregation of duties
6.1.3 Contact with authorities
Contact with special interest

6.1.4
groups
6.1.5
in project management
Obj
ID Control
6.2.1 Mobile device policy

6.2.2 Teleworking

ISO 27002
A.6 Organization of informat
A.6.1 - Internal organiz

Objective: To establish a management framework to initiate and control the implemen
Control Description
All information security responsibilities shall be defined and

allocated.
Conflicting duties and areas of responsibility shall be

segregated to reduce opportunities for unauthorized or
unintentional modification or misuse of the organization’s
assets.
Appropriate contacts with relevant authorities shall be

maintained.
Appropriate contacts with special interest groups or other

specialist security forums and professional associations shall
be maintained.
Information security shall be addressed in project
management, regardless of the type of the project.
A.6.2 - Mobile devices and te

Objective: To ensure the security of teleworking
Control Description
A policy and supporting security measures shall be adopted to

manage the risks introduced by using mobile devices.
A policy and supporting security measures shall be
implemented to protect information accessed, processed or
stored at teleworking sites.
y Alliance. All rights reserved

ISO 27002
A.6 Organization of information security
A.6.1 - Internal organization

ent framework to initiate and control the implementation and operation of information security within the organizat
IF NO OR PARTIAL GAP exist,

Is this a FULL, PARTIAL or NO
to which CCM Control is this
Gap?
control linked?
BCR-10
DSI-06
No Gap
HRS-07
GRM-06
IAM-05
No Gap
STA-01
No Gap SEF-01
Full Gap
No Gap
A.6.2 - Mobile devices and teleworking

Objective: To ensure the security of teleworking and use of mobile devices.
IF NO OR PARTIAL GAP exist,

Is this a FULL, PARTIAL or NO Gap? to which CCM Control is this
control linked to?
CCC-04
HRS-05
HRS-08
MOS-01
MOS-02
MOS-03
MOS-04
MOS-05
MOS-06
MOS-07
MOS-08
MOS-09
No Gap
MOS-10
MOS-11
MOS-12
MOS-13
MOS-14
MOS-15
MOS-16
MOS-17
MOS-18
MOS-19
MOS-20
Full Gap
of information security within the organization.
AND IF PARTIAL GAP exist, what is the gap analysis?

devices.

A.7 Human resource security
Objective: To ensure that employees and
ID Control
7.1.1 Screening
Terms and conditions

7.1.2
of employment
Objective: To ensure that e
ID Control
7.2.1 Management responsibilities

7.2.2 awareness, education
and training
7.2.3 Disciplinary process
Objective: To protect the
ID Control
Termination or change
7.3.1 of employment
responsibilities

ISO 27002
A.7.1 - Prior to employme

Objective: To ensure that employees and contractors understand their responsibilitie
Control Description
Background verification checks on all candidates for employment shall be

carried out in accordance with relevant laws, regulations and ethics and
shall be proportional to the business requirements, the classification of the
information to be accessed and the perceived risks.
The contractual agreements with employees and contractors shall state

their and the organization’s responsibilities for information security.
A.7.2 - During employme

Objective: To ensure that employees and contractors are aware of and
Control Description
Management shall require all employees and contractors to apply

information security in accordance with the established policies and
procedures of the organization.
All employees of the organization and, where relevant, contractors shall
receive appropriate awareness education and training and regular updates
in organizational policies and procedures, as relevant for their job function.
There shall be a formal and communicated disciplinary process in place to

take action against employees who have committed an information security
breach.
A.7.3 - Termination and change of

Objective: To protect the organization’s interests as part of the proc
Control Description
Information security responsibilities and duties that remain valid after

termination or change of employment shall be defined, communicated to
the employee or contractor and enforced.

ISO 27002
A.7.1 - Prior to employment

actors understand their responsibilities and are suitable for the roles for which they are considered.
IF NO OR PARTIAL GAP exist, to

Is this a FULL, PARTIAL or NO Gap?which CCM Control is this control
linked to?
No Gap HRS-02
HRS-03
No Gap HRS-04
HRS-07
A.7.2 - During employment

ees and contractors are aware of and fulfil their information security responsibilities.

linked to?
GRM-05
No Gap HRS-10
HRS-09
No Gap HRS-10
No Gap GRM-07
A.7.3 - Termination and change of employment

nization’s interests as part of the process of changing or terminating employment.

linked to?
Partial Gap HRS-04

ch they are considered.
nsibilities.

-
yment.
HRS-04 control has currently vague and confusing content, it is neither

clear to whom this control applies to (is it human resources personnel "for
performing" the termination? is it all employees?), nor to the time period it
concerns, before/during/after employment. 7.3.1. explicitly adheres to
security requirements after employment termination and addresses all
employees/contractors.
ISO 2
A.8 Asset m
A.8.1 - Respons
Objective: To identify organizational assets and
ID Control
8.1.1 Inventory of assets
8.1.2 Ownership of assets
8.1.3 Acceptable use of assets
8.1.4 Return of assets

A.8.2 - Informati
Objective: To ensure that information receives an appropriate level
ID Control
8.2.1 Classification of information
8.2.2 Labelling of information
8.2.3 Handling of assets
A.8.3 - Med
Objective: To prevent unauthorized disclosure, modificatio
ID Control
Management of removable
8.3.1
media
8.3.2 Disposal of media
8.3.3 Physical media transfer

ISO 27002
A.8 Asset management
A.8.1 - Responsibility for assets

Objective: To identify organizational assets and define appropriate protection responsibilit
Control Description
Assets associated with information and information

processing facilities shall be identified and an inventory of
these assets shall be drawn up and maintained.
Assets maintained in the inventory shall be owned.
Rules for the acceptable use of information and of assets

associated with information and information processing
facilities shall be identified, documented and implemented.
All employees and external party users shall return all of the
organizational assets in their possession upon termination of
their employment, contract or agreement.
A.8.2 - Information classification
Objective: To ensure that information receives an appropriate level of protection in accordance with its importa
Control Description
Information shall be classified in terms of legal requirements,

value, criticality and sensitivity to unauthorised disclosure or
modification.
An appropriate set of procedures for information labelling shall

be developed and implemented in accordance with the
information classification scheme adopted by the
organization.
Procedures for handling assets shall be developed and

implemented in accordance with the information classification
scheme adopted by the organization.
A.8.3 - Media handling

Objective: To prevent unauthorized disclosure, modification, removal or destruction of information sto
Control Description
Procedures shall be implemented for the management of

removable media in accordance with the classification
scheme adopted by the organization.
Media shall be disposed of securely when no longer required,
using formal procedures.
Media containing information shall be protected against

unauthorized access, misuse or corruption during
transportation.

SO 27002
Asset management
sponsibility for assets

sets and define appropriate protection responsibilities.
IF NO OR PARTIAL GAP
exist, to which CCM
Is this a FULL, PARTIAL or NO Gap?
Control is this control
linked to?
DCS-01
No Gap GRM-04
No Gap DCS-01
No Gap HRS-08
No Gap HRS-01
ormation classification
te level of protection in accordance with its importance to the organization.
exist, to which CCM
linked to?
DSI-01
No Gap
GRM-02
No Gap DSI-04
No Gap DSI-04
3 - Media handling
dification, removal or destruction of information stored on media.
exist, to which CCM
linked to?
No Gap DSI-04
DSI-07
No Gap
DCS-05
Partial Gap
DCS-04
AND IF PARTIAL GAP exist,
what is the gap analysis?
nization.


While in CCM this control is
oriented to getting authorization
and just in the context of
datacenter, in the ISO it is more
oriented as a general term
focusing on the security aspects
to consider for media transfer.
A partial gap exist in the CCM in

that there is no mention of policies
and procedures for the protection
of "physical media transfer".
A
A.9.1 - Business
Objective: To limit access to i
ID Control
9.1.1 Access control policy
Access to networks and

9.1.2
network services
A.9.2 - U
Objective: To ensure authorized user access
ID Control
User registration and
9.2.1
de-registration
9.2.2 User access provisioning
Management of privileged
9.2.3
access rights
Management of secret
9.2.4 authentication information
of users
Review of user access

9.2.5
rights
Removal or adjustment
9.2.6
of access rights
A.9.3
Objective: To make users accounta
ID Control
Use of secret authentication

9.3.1
information
A.9.4 - System
Objective: To prevent unau
ID Control
Information access
9.4.1
restriction
9.4.2 Secure log-on procedures
Password management
9.4.3
system
Use of privileged utility

9.4.4
programs
Access control to program

9.4.5
source code

ISO 27002
A.9 Access control
A.9.1 - Business requirements of access control

Objective: To limit access to information and information processing facil
Control Description
An access control policy shall be established, documented

and reviewed based on business and information security
requirements.
Users shall only be provided with access to the network and

network services that they have been specifically authorized
to use.
A.9.2 - User access management

Objective: To ensure authorized user access and to prevent unauthorized access to sys
Control Description
A formal user registration and de-registration process shall be
implemented to enable assignment of access rights.
A formal user access provisioning process shall be

implemented to assign or revoke access rights for all user
types to all systems and services.
The allocation and use of privileged access rights shall be

restricted and controlled.
The allocation of secret authentication information shall be

controlled through a formal management process.
Asset owners shall review users’ access rights at regular

intervals.
The access rights of all employees and external party users to
information and information processing facilities shall be
removed upon termination of their employment, contract or
agreement, or adjusted upon change.
A.9.3 - User responsibilities

Objective: To make users accountable for safeguarding their authentication in
Control Description
Users shall be required to follow the organization’s practices

in the use of secret authentication information.
A.9.4 - System and application access control

Objective: To prevent unauthorized access to systems and application
Control Description
Access to information and application system functions shall

be restricted in accordance with the access control policy.
Where required by the access control policy, access to
systems and applications shall be controlled by a secure log-
on procedure.
Password management systems shall be interactive and shall

ensure quality passwords.
The use of utility programs that might be capable of overriding

system and application controls shall be restricted and tightly
controlled.
Access to program source code shall be restricted.
Security Alliance. All rights reserved

ISO 27002
A.9 Access control
usiness requirements of access control

ess to information and information processing facilities.
exist, to which CCM
linked to?
IAM-02
AIS-02
No Gap
GRM-09
GRM-05
IAM-02
IAM-03
IAM-04
IAM-06
No Gap
IAM-08
IAM-09
IAM-13
IVS-06
A.9.2 - User access management

access and to prevent unauthorized access to systems and services.
exist, to which CCM
linked to?
IAM-02
IAM-04
No Gap
IAM-11
IAM-12
IAM-09
No Gap
IAM-11
IAM-09
Partial Gap
IAM-10
IAM-04
No Gap IAM-08
IAM-12
Partial Gap IAM-10

No Gap IAM-11
A.9.3 - User responsibilities

ccountable for safeguarding their authentication information.
exist, to which CCM
linked to?
No Gap IAM-12
System and application access control

nt unauthorized access to systems and applications.
exist, to which CCM
linked to?
No Gap IAM-09
Full Gap
Full Gap
No Gap IAM-13
No Gap IAM-06
analysis?
ces.

analysis?
Partial gap is due to missing term of "privileged
access rights" from CCM controls. The term is not
related to the principle of least privilege, but to
specific users having full access rights that allows
them to override system controls. I have selected
IAM-09 to address at high level the "access rights
restriction requirement" of 9.2.3. and by IAM-10 the
"control" requirement respectively by means of
assessing such rights allocation.
IAM-10 alone covers almost all of the requirements

of 9.2.5., I do not see how the remaining proposed
controls are relevant or add to the gap analysis.
Nevertheless, an access rights revalidating entity is
not defined explicitly in IAM-10 , such as "Asset
owners" role, as required explicitly by 9.2.5. To my
view the latter term has to be integrated into IAM-10,
for the gap to close.
analysis?

analysis?
Objective: To ensure proper and effective use
ID Control Control Description
Policy on the use of A policy on the use of cryptographic controls for

10.1.1 cryptographic protection of information shall be developed and
controls implemented.
A policy on the use, protection and lifetime of

10.1.2 Key management cryptographic keys shall be developed and
implemented through their whole lifecycle.

ISO 27002
A.10 Cryptography
A.10.1 - Cryptographic controls

nsure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of informa
Is this a FULL, PARTIAL or NO exist, to which CCM
Gap? Control is this control
linked to?
EKM-01
EKM-02
Partial Gap EKM-03
EKM-04
IVS-12
EKM-01
Partial Gap EKM-02
EKM-04
ls
dentiality, authenticity and/or integrity of information.
AND IF PARTIAL GAP exist, what is the

gap analysis?
Second bullet in IVS-12 requires "strong encryption

for authentication and transmission", and should be
governed by this policy on the use of cryptographic
controls.
EKM-01, EKM-02 and EKM-04 all explicitly refer to

policies and procedures for encryption keys and
methods and should be included. Furthermore, EKM-
02 doesn't cover:
27002-10.1.2 (f) Dealing with key compromise

27002-10.1.2 (h) Recovering keys that are lost or
corrupted
27002-10.1.2 (j) Destroying keys
27002-10.1.2 (k) Logging and auditing of key
management related activities
ation.
Comments
z
Objective: To prevent unauthorized physical acc
ID Control
Physical security
11.1.1
perimeter
11.1.2 Physical entry controls
Securing offices,
11.1.3
rooms and facilities
Protecting against
11.1.4 external and environmental
threats
Working in secure
11.1.5
areas
Delivery and loading

11.1.6
areas
Objective: To prevent loss, dama
ID Control
Equipment siting and

11.2.1
protection
11.2.2 Supporting utilities

11.2.3 Cabling security
11.2.4 Equipment maintenance
11.2.5 Removal of assets
Security of equipment
11.2.6
and assets off-premises
Secure disposal or reuse

11.2.7
of equipment
Unattended user
11.2.8
equipment
Clear desk and clear
11.2.9
screen policy

ISO 27002
A.11 Physical and environmental sec
A.11.1 - Secure areas

Objective: To prevent unauthorized physical access, damage and interference to the organi
Control Description
Security perimeters shall be defined and used to protect areas

that contain either sensitive or critical information and
information processing facilities.
Secure areas shall be protected by appropriate entry controls

to ensure that only authorized personnel are allowed access.
Physical security for offices, rooms and facilities shall be

designed and applied.
Physical protection against natural disasters, malicious attack

or accidents shall be designed and applied.
Procedures for working in secure areas shall be designed and
applied.
Access points such as delivery and loading areas and other

points where unauthorized persons could enter the premises
shall be controlled and, if possible, isolated from information
processing facilities to avoid unauthorized access.
A.11.2 - Equipment
Objective: To prevent loss, damage, theft or compromise of assets and inte
Control Description
Equipment shall be sited and protected to reduce the risks

from environmental threats and hazards, and opportunities for
unauthorized access.
Equipment shall be protected from power failures and other

disruptions caused by failures in supporting utilities.
Power and telecommunications cabling carrying data or
supporting information services shall be protected from
interception, interference or damage.
Equipment shall be correctly maintained to ensure its

continued availability and integrity.
Equipment, information or software shall not be taken off-site

without prior authorization.
Security shall be applied to off-site assets taking into account

the different risks of working outside the organization’s
premises.
All items of equipment containing storage media shall be

verified to ensure that any sensitive data and licensed
software has been removed or securely overwritten prior to
disposal or re-use.
Users shall ensure that unattended equipment has

appropriate protection.
A clear desk policy for papers and removable storage media
anda clear screen policy for information processing facilities
shall be adopted.

ISO 27002
A.11 Physical and environmental security
A.11.1 - Secure areas

cal access, damage and interference to the organization’s information and information processing facilities.

linked to?
No Gap DCS-02
No Gap DCS-07
DCS-02
Partial Gap
DCS-06
No Gap BCR-05
DCS-06
No Gap HRS-11
HRS-10
DCS-08
No Gap
DCS-07
A.11.2 - Equipment
s, damage, theft or compromise of assets and interruption to the organization’s operations.

linked to?
DCS-02
DCS-07
DCS-08
No Gap
BCR-05
BCR-06
BCR-08
No Gap BCR-03
BCR-07
Partial Gap BCR-03
BCR-08
BCR-06
No Gap BCR-07
BCR-08
No Gap DCS-04
DCS-04
No Gap
HRS-05
DSI-07
No Gap
DCS-05
No Gap
DCS-06
No Gap
HRS-11
nformation processing facilities.

Comments
The control proposed fully cover the security

objective of 11.1.1.
The control proposed fully cover the security

The DCS controls identified do not specifically

mention that physical security should be
designed and applied (i.e. security by design
principle). Thus, DCS-02 and DCS-06 only
partially cover the security objective of 11.1.3
The controls proposed full cover the security

The controls proposed full cover the security
The controls proposed fully cover the security

on’s operations.

Comments


BCR-07 focuses on the maintenance of
equipment. BCS-03 only covers data
center facilities. BCR-08 refers specifically
to power failures. None of the controls
recommended fully satisfies the security
objective and intention of 11.2.3 which is
to protect against an active threat of
interception, inteference or damage to
power and telecommunications in any
facility, office or rooms.





A.12.1
Objective: To ensure
ID Control ControlIsDescription
this a FULL, PARTIAL or NO Gap?
Operating procedures
Documented shall be documented
12.1.1 operating and made available to No Gap
procedures all users who need
them.
Changes to the
organization, business
processes, information
Change
12.1.2 processing facilities No Gap
management
and systems that affect
information security
shall be controlled.
The use of resources

shall be monitored,
tuned and projections
Capacity
12.1.3 made of future No Gap
management
capacity requirements
to ensure the required
system performance.
Development, testing,
and operational
Separation of environments shall be
evelopment, separated to reduce
12.1.4 testing and the risks of No Gap
operational unauthorized access or
environments changes to the
operational
environment.
Objective: To ensure that inform
Detection, prevention
and recovery controls
to protect against
Controls
malware shall be
12.2.1 against No Gap
implemented,
malware
combined with
appropriate user
awareness.
Backup copies of
information, software
and system images
Information
12.3.1 shall be taken and No Gap
backup
tested regularly in
accordance with an
agreed backup policy.
Obj
Event logs recording

user activities,
exceptions, faults and
12.4.1 Event logging information security No Gap
events shall be
produced, kept and
regularly reviewed.
Logging facilities and
log information shall be
Protection of
12.4.2 protected against No Gap
log information
tampering and
unauthorized access.
System administrator
and system operator
Administrator
activities shall be Partial
12.4.3 and operator
logged and the logs Gap
logs
protected and regularly
reviewed.
The clocks of all

relevant information
processing systems
Clock
within an organization
12.4.4 synchronisatio No Gap
or security domain
n
shall be synchronised
to a single reference
time source.
Object
Procedures shall be
Installation of
implemented to control
software
12.5.1 the installation of No Gap
on operational
software on
systems
operational systems.
A
Objectiv
Information about
technical vulnerabilities
of information systems
being used shall be
obtained in a timely
Management fashion, the
12.6.1 of technical organization’s No Gap
vulnerabilities exposure to such
vulnerabilities
evaluated and
appropriate measures
taken to address the
associated risk.
Rules governing the

Restrictions on installation of software
12.6.2 software by users shall be No Gap
installation established and
implemented.
A.12
Objective: To m
Audit requirements and

activities involving
verification of
Information
operational systems
12.7.1 systems No Gap
shall be carefully
audit controls
planned and agreed to
minimise disruptions to
business processes.

ISO 27002
A.12 Operations security
A.12.1 - Operational procedures and responsibilities

Objective: To ensure correct and secure operations of information processing fac
IF NO OR PARTIAL GAP exist, to which CCM Control is this

control linked to?
BCR-04
CCC-01
CCC-02
CCC-03
CCC-04
CCC-05,
GRM-01
IVS-02
STA-05
IVS-04
STA-03
IVS-08
STA-01
DSI-05
A.12.2 - Protection from malware

Objective: To ensure that information and information processing facilities are protected ag

control linked to?
TVM-01
MOS-01
MOS-17
CCC-04
IVS-07
TVM-03
MOS-04
MOS-03
MOS-02
A.12.3 Backup
Objective: To protect against loss of data.

control linked to?
BCR-11
A.12.4 - Logging and monitoring

Objective: To record events and generate evidence.

control linked to?
IVS-01
SEF-02
IVS-02
IVS-07
IVS-01
IAM-01
DCS-02
IVS-01
IVS-02
IVS-03
A.12.5 - Control of operational software

Objective: To ensure the integrity of operational systems.

control linked to?
CCC-04
A.12.6 - Technical vulnerability management

Objective: To prevent exploitation of technical vulnerabilities.

control linked to?
TVM-02
IVS-05
CCC-04
MOS-03
IAM-13
MOS-04
MOS-15
A.12.7 - Information systems audit considerations

Objective: To minimise the impact of audit activities on operational systems

control linked to?
AAC-01
IAM-01
IVS-01
hts reserved
O 27002
erations security
rocedures and responsibilities

re operations of information processing facilities.
tection from malware

mation processing facilities are protected against malware.

12.3 Backup
otect against loss of data.
gging and monitoring

events and generate evidence.

IVS-01, 02 somewhat address activities that may be performed by
one with elevated privileges. No control specifically aligns with the
control text in column C.
l of operational software
e integrity of operational systems.
vulnerability management
loitation of technical vulnerabilities.

systems audit considerations
t of audit activities on operational systems.

Comments
The control proposed fully cover the security objective of

12.1.1.

12.1.2.
STA-03 addresses setting capacity-level expectations

within the supply chain. It may be applicable; however,
IVS-04 covers the control completely.
The controls proposed fully cover the security objective of

12.1.3.

12.1.4.
Comments
The three common controls adequately address the
requirement. The other controls address specific
environments where the controls should be applied. CCC-
04 requires policy and implementation of technical
measures to restrict installation of unauthorized software
(prevention) and is applicable. IVS-07 requires a hardened
baseline and controls, such as AV and FIM - detection and
prevention. TVM-03 addresses mobile code controls and is
applicable. MSO-04 addresses awareness training or BYOD.

12.2.1.
Comments

12.3.1.
Comments
IVS-01, IVS-02 and IVS-07 apply. SEF-02 specifically

addresses security events and triage - control is applicable.

12.4.1.
IAM-01 is applicable. IVS-01 is applicable, as it addresses
the protection, retention, and lifecycle management of
audit logs. The other controls not properly align to the
control. DCS-02 could apply, as it specifically defines
protection requirements for data centers.

12.4.2.
The control proposed fully covers the security objective of

12.4.4.
Comments

12.5.1.
Comments
12.6.1.

12.6.2.
Comments
The controls proposed fully covers the security objective

of 12.7.1.
Objective: To ensure
ID Control
13.1.1 Network controls
Security of network
13.1.2
services
13.1.3 Segregation in networks
Objective: To mainta
ID Control
Information transfer
13.2.1
policies and procedures
Agreements on information
13.2.2
transfer
13.2.3 Electronic messaging
Confidentiality or
13.2.4
nondisclosure agreements

ISO 27002
A.13 Communications
A.13.1 - Network security m

Objective: To ensure the protection of information in networks an
Control Description
Networks shall be managed and controlled to protect

information in systems and applications.
Security mechanisms, service levels and management

requirements of all network services shall be identified and
included in network services agreements, whether these
services are provided in-house or outsourced.
Groups of information services, users and information

systems shall be segregated on networks.
A.13.2 - Information t
Objective: To maintain the security of information transferred wi
Control Description
Formal transfer policies, procedures and controls shall be in
place to protect the transfer of information through the use of
all types of communication facilities.
Agreements shall address the secure transfer of business

information between the organization and external parties.
Information involved in electronic messaging shall be

appropriately protected.
Requirements for confidentiality or non-disclosure agreements

reflecting the organization’s needs for the protection of
information shall be identified, regularly reviewed and
documented.

ISO 27002
A.13 Communications security
A.13.1 - Network security management

ensure the protection of information in networks and its supporting information processing facilities.
exist, to which CCM
linked to?
IVS-06
IVS-09
No Gap IVS-12
EKM-03
DSI-03
IVS-06
IVS-09
No Gap IVS-12
STA-07
IVS-06
IVS-09
No Gap
IVS-08
A.13.2 - Information transfer

maintain the security of information transferred within an organization and with any external entity.
exist, to which CCM
linked to?
IVS-06
IVS-09
IVS-12
No Gap
AIS-03
AIS-04
DSI-04
STA-05
No Gap AIS-04
HRS-06
No Gap EKM-03
No Gap HRS-06
information processing facilities.

tion and with any external entity.

Comments
The controls proposed fully covers the security objectives of 13.1.1.
Comments

ISO 2
A.14 System acquisition, dev
A.14.1 - Security requiremen

Objective: To ensure that information security is an integral part of information systems across the enti
public ne
ID Control
14.1.1 requirements analysis
and specification
Securing application
14.1.2 services on public
networks
Protecting application
14.1.3
services transactions
A.14.2 - S
Objective: To ensure that information security
ID Control
Secure development
14.2.1
policy
System change control

14.2.2
procedures
Technical review of
applications after
14.2.3
operating platform
changes
Restrictions on
14.2.4 changes to software
packages
Secure system engineering

14.2.5
principles
Secure development
14.2.6
environment
14.2.7 Outsourced development
14.2.8 System security testing
System acceptance
14.2.9
testing
Objective
ID Control
14.3.1 Protection of test data

ISO 27002
A.14 System acquisition, development and maintenance
A.14.1 - Security requirements of information systems

ation security is an integral part of information systems across the entire lifecycle. This also includes the requirem
public networks..
Control Description
The information security related requirements shall be

included in the requirements for new information systems or
enhancements to existing information systems.
Information involved in application services passing over

public networks shall be protected from fraudulent activity,
contract dispute and unauthorized disclosure and
modification.
Information involved in application service transactions shall

be protected to prevent incomplete transmission, mis-routing,
unauthorized message alteration, unauthorized disclosure,
unauthorized message duplication or replay.
A.14.2 - Security in development and support pro

Objective: To ensure that information security is designed and implemented within the de
Control Description
Rules for the development of software and systems shall be

established and applied to developments within the
organization.
Changes to systems within the development lifecycle shall be

controlled by the use of formal change control procedures.
When operating platforms are changed, business critical
applications shall be reviewed and tested to ensure there is
no adverse impact on organizational operations or security.
Modifications to software packages shall be discouraged,

limited to necessary changes and all changes shall be strictly
controlled.
Principles for engineering secure systems shall be

established, documented, maintained and applied to any
information system implementation efforts.
Organizations shall establish and appropriately protect secure
development environments for system development and
integration efforts that cover the entire system development
lifecycle.
The organization shall supervise and monitor the activity of
outsourced system development.
Testing of security functionality shall be carried out during

development.
Acceptance testing programs and related criteria shall be

establishedfor new information systems, upgrades and new
versions.
A.14.3 - Test data

Objective: To ensure the protection of data used for
Control Description
Test data shall be selected carefully, protected and controlled.

SO 27002
on, development and maintenance
uirements of information systems

the entire lifecycle. This also includes the requirements for information systems which provide services over
ublic networks..
linked to?
CCC-01
CCC-02
No Gap CCC-03
CCC-05
GRM-01
CCC-01
CCC-02
CCC-03
No Gap CCC-05
GRM-01
EKM-03
DSI-03
CCC-01
CCC-02
CCC-03
No Gap CCC-05
GRM-01
DSI-03
EKM-03
.14.2 - Security in development and support processes

security is designed and implemented within the development lifecycle of information systems.
exist, to which CCM
linked to?
AIS-01
CCC-01
No Gap CCC-02
IAM-06
TVM-02
CCC-05
No Gap TVM-02
CCC-03
CCC-03
CCC-05
No Gap
TVM-02
MOS-15
CCC-05
Partial Gap
TVM-02
Full Gap
IVS-08
No Gap IAM-06
DSI-05
No Gap CCC-02
AIS-01
No Gap CCC-03
MOS-07
AIS-01
Partial Gap CCC-03
MOS-07
A.14.3 - Test data

Objective: To ensure the protection of data used for testing.
exist, to which CCM
linked to?
DSI-05
DSI-06
No Gap CCC-01
CCC-02
CCC-03
ation systems which provide services over

Comments



ycle of information systems.

Comments


More specific and explicit guidelines

should be added in the CCM to strictly
control the changes to software
packages



CCM controls include security testing

but don't explicitly mention
specifically the acceptance testing

Comments

A.15.1 - Info
Objective: To ensure protectio
ID Control
15.1.1 policy for supplier
relationships
Addressing security
15.1.2
within supplier agreements
Information and
15.1.3 communication
technology supply chain
A.15.2 - S
Objective: To maintain an agreed level of
ID Control
Monitoring and review

15.2.1
of supplier services
Managing changes to
15.2.2
supplier services

ISO 27002
A.15 Supplier relationships
A.15.1 - Information security in supplier relationship

Objective: To ensure protection of the organization’s assets that is acces
Control Description
Information security requirements for mitigating the risks

associated with supplier’s access to the organization’s assets
shall be agreed with the supplier and documented.
All relevant information security requirements shall be

established and agreed with each supplier that may access,
process, store, communicate, or provide IT infrastructure
components for, the organization’s information
Agreements with suppliers shall include requirements to
address the information security risks associated with
information and communications technology services and
product supply chain.
A.15.2 - Supplier service delivery management

Objective: To maintain an agreed level of information security and service delivery in
Control Description
Organizations shall regularly monitor, review and audit

supplier service delivery.
Changes to the provision of services by suppliers, including
maintaining and improving existing information security
policies, procedures and controls, shall be managed, taking
account of the criticality of business information, systems and
processes involved
and re-assessment of risks.

ISO 27002
A.15 Supplier relationships
1 - Information security in supplier relationships

protection of the organization’s assets that is accessible by suppliers.
exist to which CCM
linked to?
BCR-10
BCR-11
CCC-01
CCC-02
CCC-03
CCC-04
CCC-05
DCS-01
DCS-05
DCS-06
DCS-09
GRM-01
GRM-04
GRM-06
No Gap
GRM-07
GRM-08
GRM-09
GRM-10
GRM-11
IAM-02
IAM-09
STA-01
STA-05
STA-07
STA-08
TVM-01
TVM-02
TVM-03
CCC-02
IAM-02
IAM-09
No Gap
STA-03
STA-05
STA-09
BCR-10
BCR-11
CCC-01
CCC-02
CCC-03
CCC-04
CCC-05
DCS-0
DCS-05
DCS-06
DCS-09
GRM-01
GRM-04
No Gap GRM-06
GRM-07
GRM-08
GRM-09
GRM-11
IAM-02
IAM-09
STA-07
STA-08
TVM-01
TVM-02
TVM-03
STA-03
STA-05
.15.2 - Supplier service delivery management

evel of information security and service delivery in line with supplier agreements.
exist, to which CCM
linked to?
IAM-02
IAM-09
STA-01
STA-02
No Gap STA-04
STA-05
STA-06
STA-07
STA-08
STA-0
STA-02
STA-04
No Gap STA-05
STA-06
STA-07
STA-08
s.

Comments
The controls proposed fully cover

the security objectives of 15.1.1.

r agreements.

Comments

A.16.1 - M
Objective: To ensure a consistent and effective approach
ID Control
Responsibilities and
16.1.1
procedures
Reporting information
16.1.2
security events
Reporting information
16.1.3
security weaknesses
Assessment of and decision on
16.1.4
information security events
Response to information
16.1.5
security incidents
Learning from
16.1.6 information security
incidents
16.1.7 Collection of evidence

ISO 27002
A.16 Information security incident m
A.16.1 - Management of information security incid

Objective: To ensure a consistent and effective approach to the management of information security
Control Description
Management responsibilities and procedures shall be

established to ensure a quick, effective and orderly response
to information security incidents.
Information security events shall be reported through

appropriate management channels as quickly as possible.
Employees and contractors using the organization’s

information systems and services shall be required to note
and report any observed or suspected information security
weaknesses in systems or services.
Information security events shall be assessed and it shall be
decided if they are to be classified as information security
incidents.
Information security incidents shall be responded to in

accordance with the documented procedures.
Knowledge gained from analysing and resolving information

security incidents shall be used to reduce the likelihood or
impact of future incidents.
The organization shall define and apply procedures for the

identification, collection, acquisition and preservation of
information, which can serve as evidence.

ISO 27002
A.16 Information security incident management
16.1 - Management of information security incidents and improvements

proach to the management of information security incidents, including communication on security events and wea
linked to?
SEF-01
No Gap
SEF-02
SEF-02
SEF-03
IVS-01
No Gap IVS-02
SEF-01
STA-05
GRM-04
SEF-02
SEF-03
No Gap CCC-02
IVS-02
TVM-02
SEF-02
No Gap
IVS-02
SEF-02
SEF-03
No Gap IVS-02
SEF-04
BCR-02
No Gap SEF-05
SEF-04
No Gap IAM-01
IVS-01
ovements
ding communication on security events and weaknesses.

Comments
analysis?
The controls proposed fully cover the

security objective of 16.1.1.





Objective: Information
ID Control
Planning information
17.1.1
security continuity
Implementing information
17.1.2
security continuity
Verify, review and

17.1.3 evaluate information
security continuity
ID Control
Availability of information
17.2.1 processing
facilities

ISO 270
A.17 Information security aspects of b
A.17.1 - Information se
Objective: Information security continuity shall be embedded in th
Control Description
The organization shall determine its requirements for information security and the continuity of
information security management in adverse situations, e.g. during a crisis or disaster.
The organization shall establish, document, implement and maintain processes, procedures
and controls to ensure the required level of continuity for information security during an
adverse situation.
The organization shall verify the established and implemented information security continuity
controls at regular intervals in order to ensure that they are valid and effective during adverse
situations.
A.17.2 - Redun
Objective: To ensure availability of in
Control Description
Information processing facilities shall be implemented with redundancy sufficient to meet

availability requirements.
nce. All rights reserved

ISO 27002
rity aspects of business continuity management
- Information security continuity

e embedded in the organization’s business continuity management systems.

Is this a FULL, PARTIAL or
which CCM Control is this control
NO Gap?
linked to?
BCR-09
No Gap
GRM-01
BCR-01
No Gap
BCR-09
BCR-02
No Gap
GRM-09
A.17.2 - Redundancies
e availability of information processing facilities.
which CCM Control is this control
linked to?
No Gap BCR-03
ms.

Comments

security objectives of 17.1.1.


Comments

Objective: To avoid breaches o
ID Control
Identification of applicable
18.1.1 legislation and contractual
requirements
Intellectual property
18.1.2
rights
18.1.3 Protection of records

Privacy and protection
18.1.4 of personally identifiable
information
Regulation of cryptographic
18.1.5
controls
Objective: To ensure that
ID Control
Independent review of
18.2.1
information security
Compliance with
18.2.2 security policies and
standards
Technical compliance
18.2.3
review

ISO 2
A.18 Co
A.18.1 - Compliance with lega

Objective: To avoid breaches of legal, statutory, regulatory or contractual o
Control Description
All relevant legislative statutory, regulatory, contractual

requirements and the organization’s approach to meet these
requirements shall be explicitly identified, documented and
kept up to date for each information system and the
organization.
Appropriate procedures shall be implemented to ensure

compliance with legislative, regulatory and contractual
requirements related to intellectual property rights and use of
proprietary software products.
Records shall be protected from loss, destruction, falsification,

unauthorized access and unauthorized release, in accordance
with legislatory, regulatory, contractual and business
requirements.
Privacy and protection of personally identifiable information
shall be ensured as required in relevant legislation and
regulation where applicable.
Cryptographic controls shall be used in compliance with all

relevant agreements, legislation and regulations.
A.18.2 - Informatio
Objective: To ensure that information security is implemented and op
Control Description
The organization’s approach to managing information security

and its implementation (i.e. control objectives, controls,
policies, processes and procedures for information security)
shall be reviewed independently at planned intervals or when
significant changes
occur.
Managers shall regularly review the compliance of information

processing and procedures within their area of responsibility
with the appropriate security policies, standards and any other
security requirements.
Information systems shall be regularly reviewed for

compliance with the organization’s information security
policies and standards.
nce. All rights reserved

ISO 27002
A.18 Compliance
A.18.1 - Compliance with legal and contractual requirements

aches of legal, statutory, regulatory or contractual obligations related to information security and of any security re

Is this a FULL, PARTIAL or NO Gap? which CCM Control is this control
linked to?
No Gap AAC-03
Partial Gap
CCC-01
EKM-03
GRM-02
No Gap
IVS-01
Full Gap
No Gap EKM-03
A.18.2 - Information security reviews

re that information security is implemented and operated in accordance with the organizational policies and proce

Is this a FULL, PARTIAL or NO Gap? which CCM Control is this control
linked to?
GRM-06
Partial Gap
AAC-02
No Gap GRM-09
No Gap GRM-09
y and of any security requirements.

analysis?
CCC-01 doesn't specifically mention that all new

acquisitions must comply with legislative,
regulatory, and contractual requirements related to
intellectual property rights and use of proprietary
software products.
No new controls needed. This is covered, but

spread over multiple CCM controls.
ional policies and procedures.

analysis?
CCM does not have language that specify that

independent reviews should also occur when there
are significant changes to AAC-02. Additional CCM
controls are excessive.
Comments

The control proposed fully covers the

No existing CCM control covers this.
The control proposed fully covers the

Comparison Review Comments
The proposed control fully covers the

The proposed control fully covers the

Public
This annex specifies new controls and associated implementation guidance which, in combination wi
which
ID Control
Obligation to co-operate
A.1.1
regarding PII principals’ rights
Public cloud PII processor’s
A.2.1
purpose
Public cloud PII processor's

A.2.2
commercial use
Secure erasure of temporary
A.4.1
files
PII disclosure notification

A.5.1
Control
A.5.2 Recording of PII disclosures

Disclosure of sub-contracted
A.7.1
PII processing
Notification of a data breach
A.9.1 involving PII
Retention period for

A.9.2 administrative security policies
and guidelines
A.9.3 PII return, transfer and disposal
Confidentiality or non-disclosure
A.10.1 agreements
Restriction of the creation of

A.10.2 hardcopy material
Control and logging of data
A.10.3 restoration
Protecting data on storage media

A.10.4 leaving the premises
Use of unencrypted portable

A.10.5 storage media and devices
Encryption of PII transmitted over

A.10.6 public data-transmission networks
Secure disposal of hardcopy

A.10.7 materials
A.10.8 Unique use of user IDs
Records of authorized users

A.10.9 Control
A.10.10 User ID management
A.10.11 Contract measures
A.10.12 Sub-contracted PII processing

Access to data on pre-used data
A.10.13 storage space
A.11.1 Geographical location of PII
A.11.2 Intended destination of PII

ISO 27018
Public Cloud PII processor extended control set for PII protec
ed implementation guidance which, in combination with the augmented controls and guidance in ISO/IEC 27002 (
which apply to public cloud service providers acting as PII process
Control Description
Control
The public cloud PII processor should provide the cloud service customer with the
means to enable them to fulfil their obligation to facilitate the exercise of PII principals’
rights to access, correct and/or erase PII pertaining to them.
Public cloud PII protection implementation guidance

The PII controller’s obligations in this respect may be defined by law, by regulations or by
contract. These obligations may include matters where the cloud service customer uses
the services of the public cloud PII processor for implementation. For example, this could
include the correction or deletion of PII in a timely fashion.
Where the PII controller depends on the public cloud PII processor for information or
technical measures to facilitate the exercise of PII principals’ rights, the relevant
information or technical measures should be specified in the contract.
Control
PII to be processed under a contract should not be processed for any purpose
independent of the instructions of the cloud service customer.

Instructions may be contained in the contract between the public cloud PII processor and
the cloud service customer including, e.g., the objective and time frame to be achieved
by the service.
In order to achieve the cloud service customer’s purpose, there may be technical
reasons why it is appropriate for a public cloud PII processor to determine the method for
processing PII, consistent with the general instructions of the cloud service customer but
without the cloud service customer’s express instruction. For example, in order to
efficiently utilize network or processing capacity it may be necessary to allocate specific
processing resources depending on certain characteristics of the PII principal. In
circumstances where the public cloud PII processor’s determination of the processing
method involves the collection and use of PII, the public cloud PII processor should
adhere to the relevant privacy principles set forth in ISO/IEC 29100.
The public cloud PII processor should provide the cloud service customer with all
relevant information, in a timely fashion, to allow the cloud service customer to ensure
the public cloud PII processor’s compliance with purpose specification and limitation
principles and ensure that no PII is processed by the public cloud PII processor or any of
its sub-contractors for further purposes independent of the instructions of the cloud
service customer.
Control
PII processed under a contract should not be used by the public cloud PII processor for
the purposes of marketing and advertising without express consent. Such consent
should not be a condition of receiving the service.
NOTE This control is an addition to the more general control in A.2.1 and does not
replace or otherwise supersede it.
Control
Temporary files and documents should be erased or destroyed within a specified,
documented period.
Implementation guidance on PII erasure is provided in A.10.11.

Information systems may create temporary files in the normal course of their operation.
Such files are specific to the system or application, but may include file system roll-back
journals and temporary files associated with the updating of databases and the operation
of other application software. Temporary files are not needed after the related
information processing task has completed but there are circumstances in which they
may not be deleted. The length of time for which these files remain in use is not always
deterministic but a “garbage collection” procedure should identify the relevant files and
determine how long it has been since they were last used.
PII processing information systems should implement a periodic check that unused
temporary files above a specified age are deleted.
The contract between the public cloud PII processor and the cloud service customer
should require the public cloud PII processor to notify the cloud service customer, in
accordance with any procedure and time periods agreed in the contract, of any legally
binding request for disclosure of PII by a law enforcement authority, unless such a
disclosure is otherwise prohibited.
The public cloud PII processor should provide contractual guarantees that it will reject
any requests for PII disclosure that are not legally binding, consult the corresponding
cloud service customer where legally permissible before making any PII disclosure and
accept any contractually agreed requests for PII disclosures that are authorized by the
corresponding cloud service customer.
An example of a possible prohibition on disclosure would be a prohibition under criminal
law to preserve the confidentiality of a law enforcement investigation.
Control
Disclosures of PII to third parties should be recorded, including what PII has been
disclosed, to whom and at what time.

PII may be disclosed during the course of normal operations. These disclosures should
be recorded (see 12.4.1). Any additional disclosures to third parties, such as those
arising from lawful investigations or external audits, should also be recorded. The
records should include the source of the disclosure and the source of the authority to
make the disclosure.
Control
The use of sub-contractors by the public cloud PII processor to process PII should be
disclosed to the relevant cloud service customers before their use.

Provisions for the use of sub-contractors to process PII should be transparent in the
contract between the public cloud PII processor and the cloud service customer. The
contract should specify that sub-contractors may only be commissioned on the basis of a
consent that can generally be given by the cloud service customer at the beginning of
the service. The public cloud PII processor should inform the cloud service customer in a
timely fashion of any intended changes in this regard so that the cloud service customer
has the ability to object to such changes or to terminate the contract.
Information disclosed should cover the fact that sub-contracting is used and the names
of relevant sub- contractors, but not any business-specific details. The information
disclosed should also include the countries in which sub-contractors may process data
(see A.11.1) and the means by which sub-contractors are obliged to meet or exceed the
obligations of the public cloud PII processor (see A.10.12).
Where public disclosure of sub-contractor information is assessed to increase security
risk beyond acceptable limits, disclosure should be made under a non-disclosure
agreement and/or on the request of the cloud service customer. The cloud service
customer should be made aware that the information is available.
Control
The public cloud PII processor should promptly notify the relevant cloud service
customer in the event of any unauthorized access to PII or unauthorized access to
processing equipment or facilities resulting in loss, disclosure or alteration of PII.

Provisions covering the notification of a data breach involving PII should form part of the
contract between the public cloud PII processor and the cloud service customer. The
contract should specify how the public cloud PII processor will provide the information
necessary for the cloud service customer to fulfil his obligation to notify relevant
authorities. This notification obligation does not extend to a data breach caused by the
cloud service customer or PII principal or within system components for which they are
responsible. The contract should also define the maximum delay in notification of a data
breach involving PII.
In the event that a data breach involving PII has occurred, a record should be maintained
with a description of the incident, the time period, the consequences of the incident, the
name of the reporter, to whom the incident was reported, the steps taken to resolve the
incident (including the person in charge and the data recovered) and the fact that the
incident resulted in loss, disclosure or alteration of PII.
In the event that a data breach involving PII has occurred, the record should also include
a description of the data compromised, if known; and if notifications were performed, the
steps taken to notify the cloud service customer and/or regulatory agencies.
In some jurisdictions, relevant legislation or regulations may require the public cloud PII
processor to directly notify appropriate regulatory authorities (e.g., a PII protection
authority) of a data breach involving PII.
NOTE There may be other breaches requiring notification that are not covered here,
e.g., collection without consent or other authorization, use for unauthorized purposes,
etc.
Control
Copies of security policies and operating procedures should be retained for a specified,
documented period upon replacement (including updating).

Review of current and historical policies and procedures may be required, e.g., in the
cases of customer dispute resolution and investigation by a PII protection authority. A
minimum retention period of five years is recommended in the absence of a specific
legal or contractual requirement.
Control
The public cloud PII processor should have a policy in respect of the return, transfer
and/or disposal of PII and should make this policy available to the cloud service
customer.

At some point in time, PII may need to be disposed of in some manner. This may involve
returning the PII to the cloud service customer, transferring it to another public cloud PII
processor or to a PII controller (e.g., as a result of a merger), securely deleting or
otherwise destroying it, anonymizing it or archiving it.
The public cloud PII processor should provide the information necessary to allow the
cloud service customer to ensure that PII processed under a contract is erased (by the
public cloud PII processor and any of its sub- contractors) from wherever they are
stored, including for the purposes of backup and business continuity, as soon as they are
no longer necessary for the specific purposes of the cloud service customer. The nature
of the disposition mechanisms (de-linking, overwriting, demagnetization, destruction or
other forms of erasure) and/or the applicable commercial standards should be provided
for contractually.
The public cloud PII processor should develop and implement a policy in respect of the
disposition of PII and should make this policy available to cloud service customer.
The policy should cover the retention period for PII before its destruction after
termination of a contract, to protect the cloud service customer from losing PII through
an accidental lapse of the contract.
NOTE This control and guidance is also relevant under the retention element of the
“Use, retention and disclosure limitation” principle (see A.5).
Control
Individuals under the public cloud PII processor’s control with access to PII should be
subject to a confidentiality obligation.

A confidentiality agreement, in whatever form, between the public cloud PII processor, its
employees and its agents should ensure that employees and agents do not disclose PII
for purposes independent of the instructions of the cloud service customer (see A.2.1).
The obligations of the confidentiality agreement should survive termination of any
relevant contract.
A.10.2 Restriction of the creation of hardcopy material ControlThe creation of hardcopy
material displaying PII should be restricted. Public cloud PII protection implementation
guidanceHardcopy material includes material created by printing.
The creation of hardcopy material displaying PII should be restricted.

Hardcopy material includes material created by printing.
Control
There should be a procedure for, and a log of, data restoration efforts.

NOTE The above control makes generic the following requirement which applies in
certain legal jurisdictions. The log of data restoration efforts should contain: the person
responsible, a description of the restored data, and the data that were restored manually.
Control
PII on media leaving the organization's premises should be subject to an authorization
procedure and should not be accessible to anyone other than authorized personnel (e.g.,
by encrypting the data concerned).
Control
Portable physical media and portable devices that do not permit encryption should not be
used except where it is unavoidable, and any use of such portable media and devices
should be documented.
Control
PII that is transmitted over public data-transmission networks should be encrypted prior
to transmission.
In some cases, e.g., the exchange of e-mail, the inherent characteristics of public data-
transmission network systems might require that some header or traffic data be exposed
for effective transmission.
Where multiple service providers are involved in providing service from different service
categories of the cloud computing reference architecture, there may be varied or shared
roles in implementing this guidance.
Control
Where hardcopy materials are destroyed, they should be destroyed securely using
mechanisms such as cross-cutting, shredding, incinerating, pulping, etc.
Control
If more than one individual has access to stored PII, then they should each have a
distinct user ID for identification, authentication and authorization purposes.
An up-to-date record of the users or profiles of users who have authorized access to the
information system should be maintained.

A user profile should be maintained for all users whose access is authorized by the
public cloud PII processor. The profile of a user comprises the set of data about that
user, including user ID, necessary to implement the technical controls providing
authorized access to the information system.
Control
De-activated or expired user IDs should not be granted to other individuals.
In the context of the whole cloud computing reference architecture, the cloud service
customer may be responsible for some or all aspects of user ID management for cloud
service users under its control.
Control
Contracts between the cloud service customer and the public cloud PII processor should
specify minimum technical and organizational measures to ensure that the contracted
security arrangements are in place and that data is not processed for any purpose
independent of the instructions of the controller. Such measures should not be subject to
unilateral reduction by the public cloud PII processor.
Information security and PII protection obligations relevant to the public cloud PII
processor may arise directly from applicable law. Where this is not the case, PII
protection obligations relevant to the public cloud PII processor should be covered in the
contract.
The controls in this International Standard, together with the controls in ISO/IEC 27002,
are intended as a reference catalogue of measures to assist in entering into an
information processing contract in respect of PII. The public cloud PII processor should
inform a prospective cloud service customer, before entering into a contract, about the
aspects of its services material to the protection of PII.
The public cloud PII processor should be transparent about its capabilities during the
process of entering into a contract. However, it is ultimately the cloud service customer’s
responsibility to ensure that the measures implemented by the public cloud PII processor
meet its obligations.
Control
Contracts between the public cloud PII processor and any sub-contractors that process
PII should specify minimum technical and organizational measures that meet the
information security and PII protection obligations of the public cloud PII processor. Such
measures should not be subject to unilateral reduction by the sub-contractor.
The use of sub-contractors to store backup copies is covered by this control (see A.7.1).
Control
The public cloud PII processor should ensure that whenever data storage space is
assigned to a cloud service customer, any data previously residing on that storage space
is not visible to that cloud service customer.
Upon deletion by a cloud service user of data held in an information system,
performance issues may mean that explicit erasure of that data is impractical. This
creates the risk that another user may be able to read the data. Such risk should be
avoided by specific technical measures.
No specific guidance is especially appropriate for dealing with all cases in implementing
this control. However, as an example, some cloud infrastructure, platforms or
applications will return zeroes if a cloud service user attempts to read storage space
which has not been overwritten by that user’s own data.
Control
The public cloud PII processor should specify and document the countries in which PII
might possibly be stored.
The identities of the countries where PII might possibly be stored should be made
available to cloud service customers. The identities of the countries arising from the use
of sub-contracted PII processing should be included. Where specific contractual
agreements apply to the international transfer of data, such as Model Contract Clauses,
Binding Corporate Rules or Cross Border Privacy Rules, the agreements and the
countries or circumstances in which such agreements apply should also be identified.
The public cloud PII processor should inform the cloud service customer in a timely
fashion of any intended changes in this regard so that the cloud service customer has
the ability to object to such changes or to terminate the contract.
Control
PII transmitted using a data-transmission network should be subject to appropriate
controls designed to ensure that data reaches its intended destination.
served
7018
ded control set for PII protection
nd guidance in ISO/IEC 27002 (see clauses 5 to 18), make up an extended control set to meet the requirements fo
providers acting as PII processors.
exist, to which CCM
linked to?
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
IAM-07
IAM-11
No Gap
IAM-12
IVS-06
IAM-04
IAM-07
IAM-08
No Gap IAM-10
IAM-11
IAM-12
IVS-01
Partial Gap IAM-08
Partial Gap HRS-03
Full Gap
Full Gap
DCS-04
DCS-05
No Gap
MOS-11
EKM-03
Partial Gap EKM-03
Full Gap
Full Gap
Full Gap
No Gap IAM-04
No Gap IAM-12
Full Gap
Full Gap
Full Gap
Full Gap
Full Gap
d control set to meet the requirements for PII protection

analysis?
IAM-08 covers the principle of least privilege to
identities. All other aspects of this control are not
covered.
HRS-03 covers standard company NDA obligations.

EKM-03 lacks specific mention of portable physical
media and portal devices.
DSI-07 covers secure disposal of electronic data.
IAM-02, IAM-04, though not specific to PII.

No other control. Required to be more specific
about PII iformation, becasuse STA-05 is generic
and don't have PII restrictions.
No other control. Required to be more specific

about PII iformation, becasuse STA-05 is generic
and don't have PII restrictions.
STA-05 covers supply chain agreements between
providers and customers.
EKM-03 demands policy and controls about data in

transmition, but not in detail about PII and
"intended destination", so it must be detailed in
additional control
This Annex provides additional control objectives, controls and implementation
ID Control
Shared roles and

CLD.6.3.1 responsibilities within a cloud
computing environment
Removal of cloud service

CLD.8.1.5
customer assets
Segregation in virtual
CLD.9.5.1
computing environment
CLD.9.5.2 Virtual machine hardening

Administrator's operational
CLD.12.1.5
security
CLD.12.4.5 Monitoring of cloud services
Alignment of security
CLD.13.1.4 management for virtual and
physical networks

ISO 27017
CLD
ovides additional control objectives, controls and implementation guidance as an extended control set for cloud servic
Is this a FULL,
Control Description
PARTIAL or NO Gap?
Responsibilities for shared information security roles in the

use of the cloud service should be allocated to identified
No Gap
parties, documented, communicated and implemented by
both the cloud service customer and cloud service provider.
Assets of the cloud service customer that are on the cloud

service provider's premises should be removed, and returned
No Gap
if necessary, in a timely manner upon termination of the cloud
servie agreement.
A cloud service customer's virtual environment running on a

cloud service should be protected from other cloud service No Gap
customers and unauthorized persons.
Virtual machines in a cloud computing environment should be

No Gap
hardened to meet business needs.
Procedures for administrative operations of a cloud computing
No Gap
environment should be defined, docuented and monitored.
The cloud service customer should have the capability to

monitor specified aspects of the operation of the cloud Partial Gap
services that the cloud service customer uses.
Upon configuration of virtual networks, consistency of

configurations between virtual and physical networks should
No Gap
be verified based on the cloud service provider's network
security policy.
ts reserved
O 27017
CLD
ed control set for cloud services. ISO/IEC 27002 control objectives related to these controls are not repeated.
IF NO OR PARTIAL GAP exist, to which CCM

Control is this control linked to?
HRS-07
HRS-10
STA-05
DSI-06
SEF-03
STA-05
DSI-07
STA-05
DSI-07
IVS-01
IVS-09
IVS-11
IVS-06
IVS-07
IVS-11
AIS-04
AAC-02
BCR-01
BCR-07
BCR-10
AIS-04
BCR-10
BCR-11
CCC-01
CCC-04
DSI-07
DCS-05
DCS-06
EKM-02
EKM-03
HRS-08
IAM-02
IAM-04
IAM-05
IAM-08
IVS-12
IPY-03
SEF-02
TVM-01
TVM-02
GRM-06
SEF-05
IAM-07
IVS-01
IVS-07
IVS-01
IVS-04
IVS-05
IVS-09
IVS-06
control objectives related to these controls are not repeated.

The monitoring controls are quite covered by the controls included in CCM.
However, these controls do not specifically mention that the monitoring
capability should be at the disposal of the cloud customer which is an
important attribute in the control

CCM-IsO Reverse Mapping and Gap Analysis FINAL

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

CCM-IsO Reverse Mapping and Gap Analysis FINAL

Transféré par

Droits d'auteur :

Formats disponibles

Description

A.5 Information Security Po

A.5.1 - Management direction for infor

ID Control Control Description

A set of policies for information security shall

The policies for information security shall be

A.5 Information Security Policies

anagement direction for information security

Is this a FULL, IF NO OR PARTIAL GAP

AND IF PARTIAL GAP exist, what is the gap

6.1.2 Segregation of duties

6.1.3 Contact with authorities

Contact with special interest

6.2.1 Mobile device policy

© Copyright 2018, Cloud Security Alliance. All rights reserved

A.6 Organization of informat

A.6.1 - Internal organiz

All information security responsibilities shall be defined and

Conflicting duties and areas of responsibility shall be

Appropriate contacts with relevant authorities shall be

Appropriate contacts with special interest groups or other

A.6.2 - Mobile devices and te

A policy and supporting security measures shall be adopted to

y Alliance. All rights reserved

A.6 Organization of information security

A.6.1 - Internal organization

IF NO OR PARTIAL GAP exist,

A.6.2 - Mobile devices and teleworking

IF NO OR PARTIAL GAP exist,

AND IF PARTIAL GAP exist, what is the gap analysis?

AND IF PARTIAL GAP exist, what is the gap analysis?

Objective: To ensure that employees and

Terms and conditions

Objective: To ensure that e

7.2.1 Management responsibilities

7.2.3 Disciplinary process

Objective: To protect the

© Copyright 2018, Cloud Security Alliance. All rights reserved

A.7.1 - Prior to employme

Background verification checks on all candidates for employment shall be

The contractual agreements with employees and contractors shall state

A.7.2 - During employme

Management shall require all employees and contractors to apply

There shall be a formal and communicated disciplinary process in place to

A.7.3 - Termination and change of

Information security responsibilities and duties that remain valid after

y Alliance. All rights reserved

A.7.1 - Prior to employment

IF NO OR PARTIAL GAP exist, to

A.7.2 - During employment

IF NO OR PARTIAL GAP exist, to

A.7.3 - Termination and change of employment

IF NO OR PARTIAL GAP exist, to

Partial Gap HRS-04

AND IF PARTIAL GAP exist, what is the gap analysis?

AND IF PARTIAL GAP exist, what is the gap analysis?

AND IF PARTIAL GAP exist, what is the gap analysis?

HRS-04 control has currently vague and confusing content, it is neither

8.1.1 Inventory of assets

8.1.2 Ownership of assets

8.1.3 Acceptable use of assets

8.1.4 Return of assets

8.2.1 Classification of information

8.2.2 Labelling of information