Authors:
Muhammad Imran Tariq
1
and
Vito Santarcangelo
2
Affiliations:
1
Superior University, 36-L and Gulberg-III, Pakistan
;
2
Centro Studi S.r.l. and University of Catania, Italy
Keyword(s):
Information Security, Cloud Computing, ISO 27001:2013, Security Assessment, Effectiveness of ISO 27001:2013 Controls.
Abstract:
Cloud Computing provides a scalable, high availability and low cost services over the Internet. The advent of
newer technologies introduces new risks and threats as well. Although the cloud has a very advanced structures
and expansion of services, but security and privacy concerns have been creating obstacles for the enterprise
to entirely shift to the cloud. Therefore, both service providers and clients should build an information security
system and trust relationship with each other. In this research paper, we analysed most widely used
international and industry standard (ISO/IEC 27001:2013) for information security to know its effectiveness
for Cloud Organizations, each control importance factor for on-premises, IaaS, PaaS and SaaS, and identify
the most suitable controls for the development of SLA based Information Security Metrics for each Cloud
Service Model. We generically evaluated ibid standards control objectives without considering Cloud organization
size, nature
of work, enterprise size. To know effectiveness, relevance to Cloud Computing, factor of
standard control objectives for the in-house or in a public cloud, we defined a quantitative metric. We come to
the conclusion that ISO / IEC 27001:2013 compliance improves service providers and customer’s information
security system and build a trust relationship but not fulfil all requirements and cover all relevant issues.
(More)