Cloud Controls

Control
Group

Control Group
Number

Control
Number
specific

Multi
Tenancy

Multi Tenancy CC-MULTI-01

Multi
Tenancy

Multi Tenancy CC-MULTI-02

Multi
Tenancy

Multi Tenancy CC-MULTI-03

Multi
Tenancy

Multi Tenancy CC-MULTI-04

Multi
Tenancy

Multi Tenancy CC-MULTI-05

Outsourcing

Management CC-OUTS-01
Information
and Control

Outsourcing

Outsourcing

Outsourcing

Outsourcing

Management
Information
and Control
Management
Information
and Control
Management
Information
and Control
Management
Information
and Control

Control Sub
Group

Shortcode

CC-OUTS-02
CC-OUTS-03
CC-OUTS-04
CC-OUTS-05

Outsourcing

Management CC-OUTS-06
Information
and Control

Outsourcing

Management CC-OUTS-07
Information
and Control

Outsourcing

Outsourcing

Outsourcing

10

Management CC-OUTS-08
Information
and Control
Management CC-OUTS-09
Information
and Control
Management CC-OUTS-10
Information
and Control

Outsourcing

11

Management CC-OUTS-11
Information
and Control

Outsourcing

12

Legal Process CC-OUTS-12

Outsourcing

13

Legal Process CC-OUTS-13

Outsourcing

14

Legal Process CC-OUTS-14

Outsourcing

15

Legal Process CC-OUTS-15

Outsourcing

16

Legal Process CC-OUTS-16

Outsourcing

17

Legal Process CC-OUTS-17

Outsourcing

18

Legal Process CC-OUTS-18

Outsourcing

19

Privacy and CC-OUTS-19

Access to
Data

Outsourcing

20

Privacy and CC-OUTS-20

Access to
Data

Outsourcing

21

Outsourcing

22

Privacy and CC-OUTS-21

Access to
Data
Infrastructure CC-OUTS-22
Design

Outsourcing

23

Outsourcing

24

Outsourcing

25

Security
Process

CC-OUTS-25

Outsourcing

26

Security
Process

CC-OUTS-26

Outsourcing

27

Security
Process

CC-OUTS-27

Outsourcing

28

Security
Process

CC-OUTS-28

Outsourcing

29

Security
Process

CC-OUTS-29

Outsourcing

30

Infrastructure CC-OUTS-23
Design
Infrastructure CC-OUTS-24
Design

Operational CC-OUTS-30
Process

Outsourcing

31

Operational CC-OUTS-31
Process

Outsourcing

32

Operational CC-OUTS-32
Process

Outsourcing

33

Outsourcing

34

Operational CC-OUTS-33
Process
Operational CC-OUTS-34
Process

Outsourcing

35

Interfacing
with the
service

CC-OUTS-35

Outsourcing

36

CC-OUTS-36

Outsourcing

37

Interfacing
with the
service
Interfacing
with the
service

Outsourcing

38

CC-OUTS-38

Outsourcing

39

Interfacing
with the
service
Interfacing
with the
service

CC-OUTS-37

CC-OUTS-39

Control Group
6= Cloud Service Integration
5= SaaS
4= PaaS
3= Multi tenancy
2= Outsourcing

Short Control

Control

Cloud provider
Cloud provider will make sure enough capacity is available, taking peaks
capacity management in usage and multi tenancy into account.
Acceptable use other
customers

An acceptable use policy will be defined and enforced. Activities of

customers that threaten the services of other customers will be included
in the acceptable use policy.

Isolation failure risk

Isolation failure risk in virtualization technology and storage is frequently

reviewed and is managed to a minimum.

Network segregation

It is possible to fence off the environments of a single customer.

Control over hardware In case of a subpoena the cloud provider commits to make a
in case of subpoenas commercially reasonable effort to resist, within the limits of applicable
law, any confiscation of hardware and data from other customers.
Clear agreements
All terms of business are clearly described and communicated. Service
Level Agreements clearly describe both the scope and application of
activities.

Changes to
agreements

Measures are in place to mitigate the risk of the cloud provider changing
the Service Level Agreement, Terms of Business or the rest of the
agreement against the customer's wishes.
Portability of services Short term contracts are possible. Customer data is exportable and
transportable in an industry-accepted format. Migrations to other cloud
providers will not be obstructed.
Customer risk
Cloud provider will provide information on request about risk of
assessment
confiscation, provider termination, lock-in risk and change in cloud
provider ownership.
Compliance with SLA Service Level Agreement fulfillment is defined, tracked and
communicated to customers. Procedures are in place to bring SLA
delivery back into compliance in case of a breach.

Breach of uptime
commitment

A robust uptime breach compensation system is in place. Availability of a

service means availabilty from the edge of the cloud provider network.
Key product components being unavailable also implies a service is
down. Maintenance to services will not be considered as an uptime
breach when announced in advance.
Information on audit Cloud provider will communicate audit policy, controls and results. If an
results and mitigation audit reveals the provider is not in compliance with the standards it is
of non-compliance
committed to, the customers concerned will be informed. The cloud
provider will get a reasonable period to bring the standard back in
compliance. If the standard is not brought back into compliance
customers will be compensated.

Extreme provisioning The customer will be informed of extreme provisioning requests made in
requests
its name. It is possible for customers to cap the maximum cost.
Cloud provider
termination

An arrangement will be in place to ensure access to data and assets in

case the cloud provider would unexpectedly seize its activities.

Canceling of services The cloud provider may only cancel a customer contract on short notice
by cloud provider
if required by law, if the services are not paid for or if breaches of the
acceptable use policy are ignored. The customer is warned ahead of time
if possible and there is a procedure that allows the customer access to
its
Suspension of
Thedata.
cloud provider may only suspend a customer's service if required by
services by cloud
law, if services are not paid for or if a breach of the fair use policy is not
provider
remedied or the services or other customers are threatened. The
customer is warned ahead of time if possible and the services will be
made available again as soon as possible.
Data location and
Customer can determine jurisdiction where its data is stored. It will be
applicable
communicated which governments and jurisdictions can lay claim to a
jurisdictions
customer's data.

Evidence collection
for customer
investigations
Supporting Customer
investigations

There will be a policy for retaining evidence for investigations by

customers and information on this policy will be provided. Automated
collection of evidence has been implemented and chain of custody is
maintained.
Cloud provider will cooperate in any reasonable incident investigation by
the customer including the handing over of relevant logs (subject to
privacy commitments).
Review of agreements All relevant contracts, NDA requirements and law shall be reviewed
and law
periodically.

Disclosure of relevant Cloud provider will communicate legislation relevant to the service.
legislation and
Cloud provider will also provide details on supervisory authority, court of
regulatory contacts
jurisdiction and contact details.

Guaranteed data
ownership

Customer data always remains owned by the customer. Cloud provider

will communicate any intellectual property rights that it claims.

Legal representation
of customers

Privacy policy

Cloud provider commits to make a commercially reasonable effort to

resist any cease and desist or subpoena procedure if the customer so
requires within the limits of applicable law. If informing the customer of a
legal request or demand is not allowed, cloud provider will assume the
customer would want to resist such request.
A privacy policy has been developed, formally communicated and
audited. Robust NDA clauses have been added to the terms describing
the confidentiality of all customer data.

Access of cloud
Cloud provider personnel access rights and operator logs relating to the
provider personnel to customer's environments will be made available to the customer on the
the environment
customer's request. Cloud provider can be blocked from customer
environments (with an exception for legal requirements).
Data retention policy A policy relating to the removal of data from cancelled products and
dormant virtual machines and snapshots has been developed and
implemented.
Information over
The expected level of performance, level of redundancy and expected
availability and
recovery times at every level of the processing layer, data storage, the
performance
internal network and the transit connections are available. A backup
policy has been established and made available. Information on
datacenter locations, security, resilience and recovery policies will be
available.
Information on
Disaster recovery plans and availability enhancing measures will be
resiliency
shared with customers when relevant.
management
Changes in
Procedures regarding the provisioning of information on changes to the
technology and
information system wil be established and implemented. Cloud provider
change management will communicate its controls for the procurement of new information
systems and enhancements. Cloud provider will endeavor to keep
existing technologies used by customers available. When such
technology is phased out, there will be a transition period.
Information on
security status and
security policy
changes
Audits of security
weaknesses

The cloud provider will ensure that security policy changes, the security
status and security requirements for customers are communicated.
Customers will be informed about security policy changes with material
impact.
Security weaknesses and their mitigation are audited and the results of
this will be communicated. Audit reports will not include information
which might lead to compromise.

Conflicting roles

Cloud provider will develop and communicate a policy with respect to

conflicting roles. Specific conflicting roles will be addressed in the
auditing process.
Customers will be made aware of their responsibilities regarding incident
management and a procedure for customer input is in place.

Customer
responsibility
regarding incidents
Customer vulnerability Cloud provider will provide the possibility for vulnerability assessment
assessment
by customers and provide information on the policy regarding
vulnerability assessment.
Information on
A policy is available to inform customers in the case of a breach of
incidents
privacy, a security breach or technical failure that could affect the
customer. Fault logs policy will be communicated and relevant logs will
be made available to customers on request.

Information regarding
SLA performance and
service usage
Information and
planning regarding
maintenance and
outages
Information on
degraded services
User manuals

Detailed reporting is available on SLA performance as well as used and

billable resources.
There is a procedure to communicate with customers in the case of
maintenance and outages. Maintenance will be planned in order to
minimize customer impact.
If a service was interrupted or degraded, a detailed report will be
provided on the reason and mitigation measures if relevant.
Cloud provider will provide explanation pertaining to the relevant
services the cloud provider offers.

Management Interface Public facing web applications and APIs related to the cloud service shall
Protection
be secured. Connections are made on the basis of strong passwords and
encrypted connections.

Customer payment
data

Sensitive customer data is encrypted. Measures shall be implemented to

prevent unauthorised access or storage of sensitive financial
information.
Management interface Customer management interfaces have a formal access control model
access
featuring individual access only. Extra checks will be available in the
case of actions that could result in data destruction. Access rights to the
customer management interface can be changed easily by the customer.
Reductions in access rights because of a termination of a contract or a
reduction of access rights concerning a customer employee are
implemented immediately and completely. Information on the use of
customer employee access rights will be provided on demand.
Management Interface Availability enhancing measures for the management interface will be
Availability
available.
Customer personnel
authorisation

Requests from customer personnel are only executed if that person has
been authorized based on his or her predefined authorisation level.

Group #

Group Count

Group Short

Future
Future
Future
3
2

Future
Future
Future
5
39
44

Future
Future
Future
MULTI
OUTS

Mapping: 27017
(draft)

Mapping: CSA

Mapping: NCSC beveiligingsrichtl

ijnen voor web Remark / Specification
applicaties
(Dutch)

11.4.1

IS-26

IS-34

11.5.3

11.1.3, 14.2.8

IS-31

Attacks that target the virtual

infrastructure (Shimming, Blue Pill,
Hyper jacking, etc.) shall be identified
and
remediated
with technical
Sniffing
and ip spoofing
will beand
made
procedural
controls.
impossible.
Procedures are in place allowing the
safe extraction of customer assets upon
subpoena.
Additional requirements ISO27017:
Clear information regarding
environment capacity, performance,
upgrade time, max performance, trial
use specifications and the requirements
regarding business continuity and
disaster recovery is provided. Payment
terms are clearly described.

11.5.3
16.1.1
In case the SLA delivery remains out of
compliance customers will get the
opportunity to migrate and will receive
their product without charge for a
reasonable period in order to facilitate
the migration. If compliance with the
SLA can not be achieved because of a
change of law the relevant points of
non-compliance will be deemed
permissible.

7.1.2, 17.3.1,
10.3.1

Compensation is thus arranged for:

customers will get the opportunity to
migrate and will receive their product
without charge for a reasonable period
in order to facilitate the migration. If
compliance with any standard can not
be achieved because of a change of law
the relevant points of non-compliance
will be deemed permissible.

11.7.2, 17.1.4

Situations where the data is transferred

from one part of the cloud provider's
network to another will also be taken
into account when determining which
governments and jurisdictions can lay
claim to a customers' data.

15.1.7, 11.7.2,
9.2.7

Virtual asset chain of custody

ISO27017: VM migrations are logged
and secured.

9.1.2
LG-01

6.1.4, 17.1.1,
17.1.3, 17.1.6

17.1.2

Cloud provider technologies that could

cause a legal problem for customers in
the jurisdictions of the data of the
customer is stored are evaluated and
communicated.
Communicating relevant legislation
includes that provider will disclose
policies regarding relevant records that
the provider is obliged to keep. Cloud
provider will confirm whether
cryptographic technologies comply with
local law (ISO27017).

6.1.4

6.1.3, 7.1.2

SA-07

NDA clauses: Cloud provider will not

look for, analyze or store customer data
when it is not needed for technical
reasons or in order to combat fraud or
attacks against the provider network.
Customer data is destroyed upon
request by the customer. Policy
regarding customer data separation will
be communicated and audited.

11.8.3, 13.2.2

BO-13
10.3.1, 11.3.1,
11.5.1, 16.1.1,
11.1.3

Deprovisioning of services includes

complete destruction of all relevant data
preceded by a period of data retention.

DG-04

16.1.3
11.1.2, 14.2.2,
14.2.3, 14.1.1

15.1.1, 15.1.2,
15.1.3

15.1.3, 11.2.1,
13.4.4

Details on audit ISO27017: Utility

programs that can override controls
and the measures that control them will
be audited. Measures against malware
will be audited.

14.4.1
8.2.1
8.2.1, 5.1.2,
10.2.2, 8.2.1, 5.1.2
10.3.1, 11.8.4

IS-27

11.1.3

IS-27

11.1.1, 11.9.1,
11.10.1

Information included in ISO27017: the

relevant encryption used and
information on mobile interaction with
provider.
BO-13, B3-5, B3- cloud
Security
includes: Public facing web
11, B3-14, B3-15, applications are protected by IDS and
B3-16, B5-2, B5-4, an application-level firewall. Measures
B7-1
are taken against vulnerabilities in the
application logic: only parameterised
queries are used, comments in de code
are minimised, cookie use is secure and
code reviews and black box scans are
conducted regularly. Unused public
facing functionality will be removed.

12.1.1, 12.1.2

7.1.2, 13.1.1,
13.2.1, 13.2.3,
13.4.1, 13.4.2,
13.2.2, 13.2.4,
8.3.3

IS-09

Sensitive data includes: Tracks,

magnetic stripe data, PIN, PAN, CCV,
credit card-numbers.
Information will be provided on
management interface access
procedures so the customer can
develop its own policies.

Further specification: The management

interface is not dependent on a single
physical site.
IS-26

Only the cloud specific risks related to the Infrastructure as a Service (IaaS) layer are included, exclu
* Connections with the cloud.
* Software within customer environments.
* Internal security of the cloud provider (covered by ISO27001).
* Availability enhancing measures.
Risk
CloudControl
1 Cloud provider does not maintain enough excess capacity to deal with CC-MULTI-01
peaks in usage.

2 Other customers' activity threatens customer performance.

CC-MULTI-02

3 Other customers' activity threatens customer reputation.

CC-MULTI-02

4 A virtual server or storage environment that does not belong to the

customer is used as a base to launch attacks against provider or
customer infrastructure.
5 Other parties active on the cloud provider network are able to intercept
traffic between the different customer environments.
6 Another customer being subpoenaed leads to critical infrastructure
being impounded.
7 Unclear definitions in the agreement leads to customer expectations
not being met.

CC-MULTI-03

8 The provider changing the SLA, Terms of Business or the rest of the
agreement against the customers' whishes.

CC-OUTS-02

9 Customer is locked into using the cloud providers' infrastructure

because ending the contract or migrating is difficult.

CC-OUTS-03

CC-MULTI-04
CC-MULTI-05
CC-OUTS-01

10 Customer can not adequately perform a risk assessment because of a

lack of information.
11 Cloud provider does not fulfill its SLA commitments because of poor
definition or poor internal communication.
12 Customer does not have any recourse if the cloud provider does not
fulfill its SLA commitments.
13 Customer is not informed about a breach of SLA commitments.
14 The uptime is insufficient but allowed downtime is defined too broadly
in the agreement.

CC-OUTS-04

15 Compensation for downtime is low because a limited compensation is

defined in the agreement.
16 It is unclear what the cloud providers' controls are and what the audit
policy and results are.
17 Customer does not find out if an audit finds a standard is not in
compliance.
18 The cloud provider is not forced to keep a standard in compliance.

CC-OUTS-06

CC-OUTS-05
CC-OUTS-05
CC-OUTS-05
CC-OUTS-06

CC-OUTS-07
CC-OUTS-07
CC-OUTS-07

19 The customer incurs high cost because of large order made by an

CC-OUTS-08
unauthorised employee or a third party that provided itself with
authorisation.
20 Customer loses control over its data because the cloud provider seizes CC-OUTS-09
its activities.

21 The customers' contract is cancelled unexpectedly and with insufficient CC-OUTS-10

warning.
22 The customers' service(s) are suspended unexpectedly and with
CC-OUTS-11
insufficient warning.
23 Customer data is unexpectedly leaked to foreign entities because the CC-OUTS-12
cloud provider is legally obliged to hand over the customers' data.
24 Evidence is not available or usable in a legal situation.
CC-OUTS-13
25 Cloud provider does not cooperate with a customers' investigation.
26 Changes in law or legal circumstances are not noticed or properly
taken into account.
27 Customer does not know what legislation or regulation the cloud
provider is subject to.

CC-OUTS-14
CC-OUTS-15

28 Customer loses rights to its data.

29 Cloud provider cooperating too readily with cease and desist notices,
subpoenas or other legal requests.
30 Weak privacy policy and clauses endangering customer privacy.

CC-OUTS-17
CC-OUTS-18

CC-OUTS-16

CC-OUTS-19

31 Cloud provider access to environment endangering customer privacy. CC-OUTS-20

32 An insufficient or badly implemented policy relating to the removal of
data leads to a breach of the privacy of the customer.
33 A lack of information regarding the cloud provider infrastructure leads
to the customer misunderstanding the availability risks it is taking.

CC-OUTS-21

34 A lack of information regarding the cloud provider infrastructure leads

to the customer misunderstanding the performance of the acquired
services.

CC-OUTS-22

CC-OUTS-22

35 A lack of information on the resiliency management program leads to a CC-OUTS-23

customer not taking the right action when it is needed.
36 Changes to the information system surprise a customer.
CC-OUTS-24
37 Cloud provider stops supporting essential technology.

CC-OUTS-24

38 The controls that guide changes to the information system are not
clear to the customer.
39 Lack of information on the current security status, policy and
requirements leads to customer reacting incorrectly to a security
situation.
40 Customer can not check if security weaknesses are minigated.
41 Audit reports reveal security weaknesses to third parties.

CC-OUTS-24

42 Customer does not have sufficient information on the cloud providers'

policy with respect to conflicting roles.
43 Cloud provider personnel has conflicting roles leading to a breach of
privacy.
44 Customer not being aware of its responsibilities when an incident
occurs leading to an increased severety of the incident.
45 It should be possible for the customer to perform a vulnerability
assessment.
46 Customer is not informed regarding incidents that could impact its
business.
47 Logs on incidents are not made available to the customer.

CC-OUTS-27

CC-OUTS-25
CC-OUTS-26
CC-OUTS-26

CC-OUTS-27
CC-OUTS-28
CC-OUTS-29
CC-OUTS-30
CC-OUTS-30

48 Customer does not receive sufficient information about SLA

performance and resource utilisation.
49 Insufficient information is provided during and before maintenance and
outages.
50 Maintenance has a duration and a timing that is inconvenient to the
business of the customer.
51 A lack of reporting after outages leads to the customer
misunderstanding the risks it is taking.
52 Customer does not have sufficient information to operate the services
it procures.
53 The cloud providers' management interfaces is compromised.

CC-OUTS-31

54 Sensitive account and financial data belonging to the customer is

leaked to third parties.
55 Customer can not, or only with difficulty, implement changes to the
access policy.
56 Customer does not have sufficient information on how management
interface access rights are distributed.
57 Customers with expired contracts or reduced rights continue to enjoy
access rights.
58 Data is inadvertently destructed because of accidental of fraudulent
instructions via the management interface.
59 Management interface actions can not be related to individuals.
60 Management interface is not available.
61 Unauthorised persons are making requests from the cloud provider
with respect to the customers' services (social hacking).

CC-OUTS-36

CC-OUTS-32
CC-OUTS-32
CC-OUTS-33
CC-OUTS-34
CC-OUTS-35

CC-OUTS-37
CC-OUTS-37
CC-OUTS-37
CC-OUTS-37
CC-OUTS-37
CC-OUTS-38
CC-OUTS-39

) layer are included, excluded are:

Control Sub Group

Multi Tenancy

Multi Tenancy
Multi Tenancy
Multi Tenancy
Multi Tenancy
Multi Tenancy
Management Information and Control

Management Information and Control

Management Information and Control

Management Information and Control

Management Information and Control
Management Information and Control
Management Information and Control
Management Information and Control
Management Information and Control
Management Information and Control
Management Information and Control
Management Information and Control
Management Information and Control
Management Information and Control

Management Information and Control

Management Information and Control
Legal Process
Legal Process
Legal Process
Legal Process
Legal Process

Legal Process
Legal Process
Privacy and Access to Data
Privacy and Access to Data
Privacy and Access to Data
Infrastructure Design

Infrastructure Design

Infrastructure Design
Infrastructure Design
Infrastructure Design
Infrastructure Design
Security Process
Security Process
Security Process
Security Process
Security Process
Security Process
Security Process
Operational Process
Operational Process

Operational Process
Operational Process
Operational Process
Operational Process
Operational Process
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service
Interfacing with the Service

Questions For Cloud provider

How much excess capacity of all the relevant resources is available to deal
with increased demand?
What shared resources are there and how is it ensured that shared
resources do not become a performance bottleneck?
How is behavior of other customers controlled in order to avoid
performance risks?
How is behavior of other customers controlled in order to avoid reputational
risks?
How is the isolation risk in the virtualisation and storage layers managed?
How does the cloud provider ensure traffic between different environments
can not be intercepted?
How does the cloud provider deal with the risk of critical infrastructure being
subpoenaed because of other another customer being targeted?
Are performance, uptime, support access and scope of the SLA clearly
defined?
Can the cloud provider provide a copy of the contract, terms of business,
SLA and any other relevant documents?
What are the legal arrangements that ensure the cloud provider can not
change the SLA, Terms of Business or the rest of the agreement against
the customers' whishes.
How long are the contracts and cancellation periods?
Does the cloud provider have the obligation to make customer data
Does the cloud provider have an obligation to ensure a migration away from
its infrastructure is possible?
Can the cloud provider provide information on its infra structure and
procedures in order to enable the customer to perform a risk assessment?
With what internal measures does the cloud provider ensure the
organisation will fulfill an agreed SLA?
What happens when the cloud provider does not fulfill the agreed SLA?
How will the customer find out the SLA is breached?
How is downtime defined? Does it include unscheduled maintenance,
single transit connections not being available and key system component
not being available?
How is compensation calculated when downtime is established?
How are quality standards, associated controls and auditing policy
communicated?
How does the customer find out if an audit finds a standard not to be in
compliance?
What measures is the cloud provider obligate to take if a standard is no
longer in compliance?
How does the cloud provider stop large orders made by an unauthorised
employee or third party that provided itself with authorisation?
How is customer data ownership and availability guaranteed if the cloud
provider unexpectedly seizes its activities?

Under what circumstances can the cloud provider cancel a contract and
what procedures does the cloud provider follow in these cases?
Under what circumstances can the cloud provider suspend services and
what procedures does the cloud provider follow in these cases?
What foreign entities could the cloud provider be obliged to hand over the
customers' data to?
How does the cloud provider ensure the collection and availability of
evidence when the customer needs it?
Is the cloud provider obliged to cooperate with customer investigations?
How are changes in the law and legal circumstances evaluated and
responded to?
What relevant legislation and regulation is the cloud provider subjct to?
Does the cloud provider have an obligation to disclose any legislation and
or regulatory framework it is subject to?
How is the ownership of the customer with respect to its data guaranteed?
How does the cloud provider respond to cease and desist notices and
subpoenas with respect to its customers' environments and data?
How does the cloud provider privacy policy limit the analysis and distribution
of customer data?
How does the cloud provider limit the privacy risk related to its personnel
having access to customer data.
What is the policy with respect to the removal of data and how is this policy
enforced?
Does the cloud provider disclose all relevant information in order for the
customer to adequately estimate availability risks? For example an
adequate description of the redundancy measures in the networking, server
and storage layers.
Does the cloud provider disclose all relevant information in order for the
customer to adequately estimate the performance of the acquired services?
For example an adequate description of the networking, cpu and storage
capacity available for the different environments.
Does the cloud provider provide relevant information to the customer with
respect to the resiliency management program?
What is the policy with respect to changes to the information system that
effect a customer?
Will the cloud provider continue supporting essential technology that the
customer needs?
Does the cloud provider disclose the controls that guide changes to the
information system?
How does the cloud provider provide information on the current security
policy, security status and the actions related to the security that are
required from the customer?
Is the mitigation of security weaknesses audited?
How does the cloud provider ensure audit reports do not reveal security
weaknesses?
What is the cloud providers' policy with respect to conflicting roles?
What cloud provider personnel could have conflicting roles?
How is the customer informed of its responsibilities in the case an incident
occurs?
Is it possible for the customer to perform a vulnerability assessment? What
could the scope of such an assessment be?
How does the cloud provider ensure that the customer is informed about
incidents that could impact its business?
Does the cloud provider guarantee the availability of incident logs for the
customer?

What information on SLA performance and resource utilisation does the

cloud provider commit to provide?
What procedures are in place to provide information in case of
maintenance and outages?
What is the policy with respect to the timing and duration of maintenance?
What is the policy with respect to reporting on the cause and mitigation of
outages?
What documentation or support does the cloud provider commit to make
available so the customer can operate its services?
What security measures are in place in order to secure the management
interface and the connections to it?
How is sensitive customer information protected?
How can the customer implement changes to the management interface
access rights?
How can the customer review management interface access rights?
What is the procedure for reducing access rights after a contract expires or
access is reduced for another reason?
Are there protections against data being inadvertently destroyed via the
management interface?
Are all management interface accounts individualised?
How is availability of the management interface ensured?
What measures are in place to protect against social hacking?