|
+OIS-08.01AC |
1. ÜbersichtOIS-08.01ACThe cloud service provider integrates information security risks into a documented Enterprise Risk Management (ERM) programme which addresses the following aspects:1. Integration of information security risks at the enterprise level to promote information security risk-awareness across the entire organisation; 2. Leadership awareness and support for identification, analysis and treatment of information security risks to foster continuous improvement; and 3. Consideration of the cloud service provider's strategic objectives when managing risks to align risk treatment with the organisation's goals. This criterion applies only to risks that reside within the area of responsibility of the cloud service provider. Risks that arise for the cloud service customer when using the cloud service are not covered by this criterion. When outsourcing activities for the provision of cloud services to service organisations, the responsibility for these risks remains with the cloud service provider. Requirements for measures to manage these risks can be found in the criteria area 'Control and Monitoring of Service Providers and Suppliers (SSO)'. Cloud service providers may leverage established risk management standards, such as ISO 27005 or the ISO 31000 family of standards to address risks related to the cloud service. Risk management procedures already implemented at the cloud service provider may be leveraged for OIS-08 where possible to reduce redundancies. Documentation of risks, treatment plans and risk acceptance in the sense of this criterion does not require specific formal frameworks; lean forms of documentation can be leveraged wherever appropriate to address the OIS-08 subcriteria.
1.1 Referenzen1.2 Identifizierte Anforderungen1.2 Related Regulation2. Identifizierte Anforderungen
3. Related Regulations
|