If you operate a business or service online, you have a responsibility to ensure your core data and applications in the cloud are secure at all times. With the constantly evolving threat landscape, this can be a complex task. However, there are compliance frameworks specific to different industries that can provide the methodology for organisations to identify potential incidents and define procedures to prevent such incidents.
When you start to look into the requirements for information security in the cloud, the number of industry standards and control frameworks can be overwhelming at first. With so many out there, it can be difficult to understand which standards apply to your organisation and which you should focus your efforts on first. Simply put, any organisation with workloads processing sensitive data should strongly consider compliance with at least ISO-27001, SOC 2 and the CIS AWS Foundations benchmark as a great starting point.
Implementing processes and controls for these standards will go a long way to ensuring data security. Taking it to the next level; certification with ISO and attestation with SOC 2 will increase trust in your organisation, and can gain your organisation competitive advantage amongst security conscious customers. There are other clear business benefits to implementing these frameworks such as avoiding financial loss resulting from a security beach, ensuring data privacy and integrity, regulatory compliance, and defining information-handling roles and responsibilities.
This blog post describes 10 cloud security standards and control frameworks that your organisation should consider. It’s worth noting that many of the standards below do not specifically address cloud information security, but rather information security in general. The list is by no means exhaustive, and there may be additional standards which are more suitable for your specific industry sector.
Itoc’s top 10 cloud security standards and control frameworks:
ISO-27001 / ISO-27002
Any organisation that has sensitive information can benefit from ISO 27001 implementation. ISO-27001 contains a specification for an Information Security Management System (ISMS). ISO-27002 describes controls that can be put in place for compliance with the ISO-27001 standard. Compliance with ISO-27001 demonstrates to your customers that your organisation takes information security seriously and has implemented the best-practice information security methods.
An extension of ISO-27001 incorporating clauses specific to information security in the context of the cloud. Compliance with ISO-27017 should be considered alongside ISO-27001.
This standard relates to the protection of personally identifiable information (PII) in public clouds acting as PII processors. Whilst this standard is targeted specifically to public-cloud providers such as AWS or Azure, PII controllers (e.g. a SaaS provider processing customer PII in AWS) still have a level of responsibility. You should consider compliance against this standard if you are a SaaS provider processing PII.
General Data Protection Regulation (GDPR)
Data protection and privacy regulation for the European Union. Whilst this regulation applies specifically to the European Union, you need to consider this if you store or process any personal data of European Union citizens.
System and Organisation Controls (SOC) Reporting
A SOC 2 Audit Report demonstrates that your organisation has policies, procedures and controls in place to meet the 5 trust principles: Security, Availability, Processing Integrity, Confidentiality and Privacy. If you are a SaaS provider, prospective clients may request that you demonstrate SOC 2 compliance.
Payment Card Industry Data Security Standard (PCI DSS)
Specific to organisations handling cardholder information. This standard provides baseline technical and operations requirements for protecting cardholder data.
Health Insurance Portability and Accountability Act (HIPAA)
Specific to organisations handling medical information. The HIPAA Security Rule (HSR) is most appropriate in the context of information security. This rule provides standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity.
CIS AWS Foundations v1.2
Best practice security controls specific to Amazon Web Services (AWS).
CIS Controls Top 20
A prioritised set of actions for protection against cyber threats.
ACSC Essential Eight
A baseline of eight essential strategies for preventing and limiting the extent of cyber security incidents.
Although the number of standard and control frameworks may seem overwhelming at first, common themes appear across many of the standards. Striving for compliance with one will often get you a long way to achieving compliance with another.
Once you’ve decided on the standards and control frameworks to pursue, you will need to establish policy, procedures and implement supporting technical controls. Implementing technical controls might be an unnecessary distraction for your team (who are hard at work delivering business value), but don’t worry... you don’t need to go it alone.
It can take considerable time to implement these controls and keep documentation up to date, particularly if your team is not experienced in this field. If your team is currently delivering business value, do you really want to shift their focus? For ongoing compliance, you’ll also need to routinely patch infrastructure, monitor workloads, protect against malware… just to name a few. Wouldn’t it be better if an expert just took care of this?
Leave the heavy lifting to a Next-Generation Cloud Managed Service Provider (MSP) like Itoc, so your team can remain focused on accelerating your business. Itoc can set you on the right path by provisioning cloud infrastructure with technical controls in place to address the security standards and control frameworks described above.
That’s just the beginning of the journey. Your Next-Generation Cloud Managed Service Provider can monitor, maintain and support your workloads long term; ensuring compliance today, tomorrow and well into the future as your business continues to grow. Download our checklist to ensure you choose the right MSP for your business. To get in touch with our dedicated MSP team, simply fill out the form below.