Contents

Foreword
Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Structure of this document

5 Background

6 Overview of information security control assessments

Assessment process

General
Preliminary information
Assessment checklists
Review fieldwork
The analysis process

Resourcing and competence

7 Review methods

Overview

Process analysis

General

Examination techniques

General
Procedural controls
Technical controls

Testing an validation techniques

General
Blind testing
Double Blind Testing
Grey Box Testing
Double Grey Box Testing
Tandem Testing
Reversal

Sampling techniques

General
Representative sampling
Exhaustive sampling

8 Control assessment process

Preparations

Planning the assessment

• Overview
• Scoping the assessment
• Review procedures
• Object-related considerations
• Previous findings
  • Overview
  • Changing conditions
  • Acceptability of reusing reviews.
  • Time aspects
• Work assignments
• External systems
• Information assets and organization
• Extended review procedure
• Optimization
• Finalization

Conduction reviews

Analysis and reporting results

AA - Initial information gathering (other than IT) (Informative)

General

• Human resources and security
• Policies
• Organization

Physical and environmental security

• Are the sites safe for information?
• Are the sites safe for ICT? (Environmental aspects)
• Are the sites safe for people?

Incident management

AB - Practice guide for technical security assessments (informative)

General

Assessment of controls from

Information security policies
Organization of information security
Human resource security
Asset management
Access control
Cryptography
Physical and environmental security
Operations security
Communications security
System acquisition, development and maintenance
Supplier relationships
Information security incident management
Information security aspects of business continuity management
Compliance

AC - Technical assessment guide for cloud services (Infrastructure as a service) (informative)

Positioning and purpose

Relationship with other international standards

Structure of this annex

Cloud services (infrastructure as a service) environment model

Meaning of the model introduced
Model and components
Correspondence to

Common practice in the Implementation Model

• General
• Application of virtualization technologies in the cloud service
• Carrying out the technical assessment for the common aspects in the virtualization mechanism
  • Operation Security

Server virtualization

• Overview of server virtualization
• Application of server virtualization in the cloud services
• Carrying out the technical assessment for the server virtualization
  • Access Control

Network virtualization

• Overview of network virtualization
• Application of network virtualization in the cloud services
• Carrying out a technical assessment for the network virtualization
  • Access control
  • Cryptography
  • Communications security

Storage virtualization

• Overview of storage virtualization
• Application of storage virtualization in the cloud services
• Carrying out the technical assessment for the storage virtualization
  • Access control
  • Cryptography
  • Operations security

Service management

• Overview of Service management
• Application of server virtualization in the cloud services
• Carrying out the technical assessment for the Service management
  • User access management
  • Cryptography
  • Information security incident management

Relational table for denotations in and this annex

Bibliography