Customer Controls Checklist
Overview
Comprehensive checklist of ISO 27017 controls for Cloud Service Customers to ensure secure cloud usage.
Customer Control Implementation Checklist
Governance and Risk Management
Information Security Policy
- Cloud security policy documented
- Shared responsibility model defined
- Risk assessment for cloud services
- Cloud service approval process
- Regular policy review (annual minimum)
Cloud Service Selection
- Vendor evaluation criteria defined
- Security questionnaire template
- Required certifications identified (ISO 27001, SOC 2)
- Reference checks process
- Contract review checklist
Data Management
A.8.1.1 - Inventory of Assets
- Complete cloud asset inventory
- Data location documentation
- Shadow IT discovery process
- Regular inventory updates (quarterly)
- Asset ownership assigned
A.8.2.1 - Classification of Information
- Data classification scheme defined
- Classification labels applied
- Handling procedures documented
- Regular classification review
- User training on classification
A.8.2.3 - Handling of Assets
- Handling procedures by classification
- Data retention policies defined
- Secure deletion procedures
- Data portability plan
- Backup and recovery procedures
Access Control
A.9.1.1 - Access Control Policy
- Access control policy documented
- Least privilege implemented
- Segregation of duties defined
- Policy communicated to users
- Regular policy review
A.9.2.1 - User Registration and Deregistration
- User provisioning process
- User deprovisioning process
- Automated provisioning (if possible)
- Orphan account detection
- Quarterly access reviews
A.9.2.3 - Management of Privileged Access Rights
- Privileged access policy
- Just-in-Time access implemented
- Privileged session monitoring
- Emergency access procedures
- Regular privileged account reviews
A.9.4.1 - Information Access Restriction
- Role-based access control (RBAC)
- Data access controls configured
- Access logging enabled
- Access violation alerts
- Regular access audits
A.9.4.2 - Secure Log-on Procedures
- Multi-factor authentication (MFA) enabled
- Password complexity requirements
- Account lockout policy
- Session timeout configured
- Failed login monitoring
Identity Federation
- Single Sign-On (SSO) implemented
- Identity provider integration
- Automated user lifecycle
- Federation monitoring
- Backup authentication method
Cryptography
A.10.1.1 - Policy on Use of Cryptographic Controls
- Encryption policy defined
- Encryption requirements by classification
- Approved algorithms documented (AES-256)
- Key management strategy defined
- Regular policy review
A.10.1.2 - Key Management
- Key management approach selected (CMK/PMK)
- Key access controls configured
- Key rotation schedule (90-365 days)
- Key backup and recovery procedures
- Key usage monitoring
Encryption Implementation
- Data at rest encryption enabled
- Data in transit encryption (TLS 1.2+)
- Encryption verified for all sensitive data
- Client-side encryption (if required)
- Encryption key documentation
Application Security (IaaS/PaaS)
A.14.1.1 - Information Security Requirements Analysis
- Security requirements for cloud apps
- Compliance requirements identified
- Data classification considered
- Security architecture documented
- Regular requirements review
A.14.2.1 - Secure Development Policy
- Secure coding guidelines
- Code review process
- Security testing in SDLC
- Dependency management
- Vulnerability scanning
A.14.2.5 - Secure System Engineering Principles
- Security by design implemented
- Defense in depth
- Least privilege in applications
- Secure defaults
- Fail securely
A.14.2.8 - System Security Testing
- Security testing plan
- Automated security testing (SAST/DAST)
- Penetration testing (annual)
- Vulnerability remediation process
- Retest after fixes
Configuration Management
A.12.1.2 - Change Management
- Change management process for cloud
- Change approval workflow
- Change testing procedures
- Change logging
- Emergency change procedures
A.12.6.1 - Management of Technical Vulnerabilities
- Vulnerability scanning (weekly)
- Patch management process
- Critical patch SLA (< 30 days)
- Vulnerability assessment reports
- Remediation tracking
CLD.12.1.5 - Administrative Operations
- Administrative access controls
- Administrative activity logging
- Separation of administrative duties
- Administrative account reviews
- Break-glass procedures documented
Security Baselines
- CIS benchmarks applied
- Configuration baselines documented
- Automated compliance scanning
- Configuration drift detection
- Baseline review (quarterly)
Monitoring and Logging
A.12.4.1 - Event Logging
- Logging enabled for all critical resources
- Log types identified (auth, access, config)
- Log retention policy (90-365 days)
- Centralized log aggregation
- Log review process
CLD.12.4.5 - Monitoring of Cloud Services
- Cloud monitoring tools configured
- Security event monitoring
- Cost monitoring and alerts
- Performance monitoring
- Compliance monitoring
CLD.9.5.1 - Cloud Service Customer Monitoring
- User activity monitoring
- Anomaly detection configured
- Automated alerting
- SIEM integration
- Monitoring dashboard
Security Monitoring
- Failed authentication alerts
- Privilege escalation alerts
- Configuration change alerts
- Data exfiltration detection
- Resource abuse detection
Network Security (IaaS/PaaS)
A.13.1.1 - Network Controls
- Virtual network configured
- Network segmentation implemented
- Firewall rules documented
- Inbound traffic restricted
- Outbound traffic monitored
A.13.1.2 - Security of Network Services
- Secure protocols only (HTTPS, SSH, SFTP)
- Unnecessary ports closed
- DDoS protection configured
- Network monitoring enabled
- VPN for remote access
CLD.9.5.2 - Virtual Network Protection
- Security groups configured
- Network ACLs implemented
- Private subnets for sensitive resources
- Network flow logs enabled
- Regular network review
Backup and Business Continuity
A.12.3.1 - Information Backup
- Backup strategy documented
- Automated backups configured
- Backup encryption enabled
- Backup testing (quarterly)
- Geographic redundancy
A.17.1.1 - Planning Information Security Continuity
- Business continuity plan for cloud
- Recovery time objectives (RTO) defined
- Recovery point objectives (RPO) defined
- Failover procedures documented
- Annual BC/DR testing
A.17.1.2 - Implementing Information Security Continuity
- Redundancy configured
- Multi-region deployment (if required)
- Automated failover tested
- Data replication verified
- Communication plan
Incident Management
A.16.1.1 - Responsibilities and Procedures
- Cloud incident response plan
- Roles and responsibilities defined
- Provider notification procedures
- Escalation paths documented
- Regular IR drills
A.16.1.2 - Reporting Information Security Events
- Security event reporting process
- Incident classification criteria
- Internal notification procedures
- Regulatory reporting procedures
- Customer notification (if applicable)
A.16.1.5 - Response to Information Security Incidents
- Incident response procedures
- Evidence collection procedures
- Containment procedures
- Recovery procedures
- Post-incident review
Compliance and Audit
A.18.1.1 - Identification of Applicable Legislation
- Applicable regulations identified
- Compliance requirements documented
- Data residency requirements met
- Regulatory reporting procedures
- Regular compliance review
A.18.1.4 - Privacy and Protection of PII
- Privacy policy for cloud data
- PII inventory
- Data subject rights procedures
- Privacy impact assessments
- Consent management (if applicable)
A.18.2.2 - Compliance with Security Policies
- Compliance monitoring process
- Regular audits (annual)
- Gap analysis process
- Compliance reporting
- Continuous improvement
Audit Preparation
- Evidence collection automated
- Documentation repository
- Audit rights in contracts
- Audit log availability
- Audit response procedures
Supplier Management
A.15.1.1 - Information Security Policy for Supplier Relationships
- Cloud provider evaluation process
- Required certifications defined
- Security questionnaire template
- Ongoing assessment process
- Provider performance review
A.15.1.2 - Addressing Security in Supplier Agreements
- SLA includes security requirements
- Data processing agreement signed
- Incident notification SLA
- Audit rights included
- Exit strategy documented
A.15.2.1 - Monitoring and Review of Supplier Services
- Provider performance monitoring
- SLA compliance tracking
- Security incident tracking
- Compliance reporting review
- Annual provider review
Training and Awareness
A.7.2.2 - Information Security Awareness
- Cloud security training program
- User onboarding includes cloud security
- Annual refresher training
- Phishing awareness training
- Training effectiveness measurement
Cloud-Specific Training
- Shared responsibility model training
- Data classification training
- Secure configuration training
- Incident reporting training
- Compliance requirements training
Data Portability and Exit
CLD.8.1.5 - Removal/Return of Assets
- Data export procedures documented
- Exit strategy defined
- Data format for export specified
- Deletion verification process
- Transition assistance in contract
Exit Planning
- Data export tested
- Alternative provider identified
- Migration plan documented
- Cost of exit estimated
- Timeline for transition
Maturity Assessment
Level 1 - Initial
- Basic cloud usage without formal controls
- Limited documentation
- Ad-hoc security measures
Level 2 - Developing
- Core controls implemented
- Basic documentation in place
- Some automation
Level 3 - Defined
- Comprehensive controls implemented
- Complete documentation
- Integrated monitoring
Level 4 - Managed
- Metrics-driven management
- Advanced automation
- Proactive security
Level 5 - Optimized
- Continuous improvement
- Full automation
- Industry-leading practices
Module 3 Complete
Congratulations on completing Module 3! You now understand:
- Customer security responsibilities
- Cloud service selection criteria
- Data classification and handling
- Access management
- Encryption and key management
- Monitoring and logging
- Comprehensive customer controls
Next Module: Implementation and Compliance