Module 2: Cloud Service Provider Controls

CSP Controls Checklist

Template
30 min
+150 XP

CSP Controls Checklist

Overview

This lesson provides a comprehensive checklist of ISO 27017 controls for Cloud Service Providers.

CSP Control Implementation Checklist

Physical and Environmental Security

A.11.1 - Secure Areas

  • Multiple physical security perimeters implemented
  • 24/7 monitored access with biometric controls
  • Visitor management and escort procedures
  • Video surveillance with retention policy
  • Intrusion detection systems active
  • Security guard patrols scheduled

A.11.2 - Equipment

  • Redundant power systems (N+1 UPS, generators)
  • Climate control with monitoring
  • Fire suppression systems tested
  • Equipment secured in locked racks
  • Asset tracking system implemented
  • Secure disposal procedures for hardware

Infrastructure Security

A.12.1 - Operational Procedures

  • Documented operational procedures
  • Change management process
  • Capacity monitoring and planning
  • Environment separation (dev/test/prod)
  • Regular backup verification
  • Performance monitoring

A.12.4 - Logging and Monitoring

  • Centralized logging (SIEM)
  • Clock synchronization (NTP)
  • Log retention policy (minimum 90 days)
  • Log integrity protection
  • Administrator action logging
  • Security event alerting

A.12.6 - Technical Vulnerability Management

  • Vulnerability scanning (weekly)
  • Patch management process
  • Vulnerability disclosure policy
  • Security advisory monitoring
  • Penetration testing (annual)

Virtualization Security

CLD.6.3.1 - Virtual Machine Hardening

  • Hypervisor hardening standards
  • Minimal VM templates
  • VM image scanning
  • VM access controls
  • VM monitoring
  • VM lifecycle management

CLD.6.3.2 - Virtual Machine Image Protection

  • Image encryption
  • Image signing/verification
  • Private image repository
  • Image vulnerability scanning
  • Version control for images
  • Regular image updates

Network Security

A.13.1 - Network Controls

  • Network segmentation implemented
  • Firewall rules documented
  • DDoS protection active
  • Network monitoring (IDS/IPS)
  • VPN capabilities for customers
  • Network access logging

CLD.9.5.2 - Virtual Network Protection

  • Virtual network isolation per tenant
  • Security group capabilities
  • Network ACL capabilities
  • Private connectivity options
  • Network flow logging

Data Protection

A.10.1 - Cryptographic Controls

  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.2+)
  • Key management system (HSM)
  • Customer-managed key support
  • Cryptographic standards documented
  • Key rotation procedures

A.12.3 - Backup

  • Automated backup systems
  • Backup encryption
  • Geographic redundancy
  • Regular restore testing
  • Backup retention policy
  • Customer backup options

Access Control

A.9.1 - Access Control Policy

  • Access control policy documented
  • Least privilege principle
  • Segregation of duties
  • Regular access reviews
  • Privileged access management
  • Multi-factor authentication

A.9.2 - User Access Management

  • User provisioning process
  • User deprovisioning process
  • Access approval workflow
  • Role-based access control
  • Quarterly access reviews

CLD.13.1.4 - Cloud User Management Interfaces

  • Secure management console (HTTPS)
  • API authentication (OAuth 2.0)
  • API rate limiting
  • API access logging
  • SDK security documentation

Incident Management

A.16.1 - Incident Management

  • Incident response plan documented
  • 24/7 incident response capability
  • Incident classification criteria
  • Customer notification procedures
  • Incident logging and tracking
  • Post-incident review process

A.16.1.2 - Reporting Security Events

  • Security event reporting process
  • Customer reporting channels
  • Event severity classification
  • SLA for event response
  • Event notification templates

Compliance and Audit

A.18.1 - Legal and Regulatory

  • Compliance requirements identified
  • Privacy policy published
  • Data processing agreements
  • Subprocessor disclosure
  • Data location documentation
  • Regulatory compliance (GDPR, etc.)

A.18.2 - Information Security Reviews

  • Annual compliance audits (SOC 2)
  • ISO 27001 certification
  • Penetration testing (annual)
  • Internal audits (quarterly)
  • Management reviews (quarterly)
  • Compliance reporting to customers

Service Availability

A.17.1 - Business Continuity

  • Business continuity plan
  • Disaster recovery plan
  • Recovery time objectives defined
  • Recovery point objectives defined
  • BC/DR testing (annual)
  • Redundant infrastructure

A.17.2 - Redundancies

  • Multi-region capability
  • Automated failover
  • Load balancing
  • Data replication
  • Power redundancy (N+1)
  • Network redundancy

Customer Support

A.15.1 - Supplier Relationships

  • Customer onboarding process
  • Service Level Agreements
  • Support response SLAs
  • Escalation procedures
  • Contract management
  • Customer offboarding process

CLD.8.1.5 - Asset Removal/Return

  • Data deletion procedures
  • Data export capabilities
  • Asset inventory for customers
  • Deletion verification
  • Certificate of destruction (if requested)
  • Retention policy after termination

Documentation and Transparency

Required Customer Documentation:

  • Security whitepaper
  • Shared responsibility model
  • Compliance certifications
  • Service descriptions
  • SLA terms
  • Data processing agreement
  • Incident notification policy
  • Change management notification

Maturity Assessment

Level 1 - Initial

  • Ad-hoc security controls
  • Limited documentation
  • Reactive security

Level 2 - Managed

  • Documented processes
  • Some automation
  • Defined roles

Level 3 - Defined

  • Standardized processes
  • Integrated tools
  • Proactive monitoring

Level 4 - Quantitatively Managed

  • Metrics-driven
  • Advanced automation
  • Continuous improvement

Level 5 - Optimizing

  • Industry-leading practices
  • Full automation
  • Innovation focus

Key Takeaways

  1. Comprehensive controls cover all security domains
  2. Documentation is essential for transparency
  3. Regular testing validates control effectiveness
  4. Continuous improvement is necessary
  5. Customer communication builds trust

Module 2 Complete

Congratulations on completing Module 2! You now understand:

  • CSP security responsibilities
  • Infrastructure and virtualization security
  • Data segregation techniques
  • SLA requirements
  • Incident management
  • Comprehensive CSP controls

Next Module: Cloud Service Customer Controls

Complete this lesson

Earn +150 XP and progress to the next lesson

Previous

Incident Management for CSPs

Next

Customer Responsibilities Overview