CL130: Cloud Information Security according to ISO/IEC 27017/27018, BSI™ C5 und C3A

Agenda:

• Motivation and fundamentals
  • Basic concepts of cloud computing
    • Concepts
    • Reference architecture
    • Shared Responsibility Model
  • Cloud Security
    • Threats and attack vectors
    • Security concepts
  • Overview of Cloud Security Services (hyperscalers and European offerings)
    
    
• Important norms/standards, certificates and best practices
  • Norms and standards
    • ISO/IEC 27001
    • ISO/IEC 27017/18
    • BSI™ C5
    • BSI™ C3A
    • Mapping ISO/IEC 27017 ↔ C5 ↔ C3A
    • NIST SP 800-xx
    • NIST Cyber Security Framework
    • CIS
    • …
  • Personal certifications
    • CSA CCSK
    • ISC2™ CCSP
  • Product certifications
    • Azure Security Engineer
    • Google™ Cloud Security Engineer
    • AWS™ Certified Security
      
      
• Organizational requirements and recommendations for Cloud Security
  • PDCA cycle for Cloud Security (Plan, Do, Check, Act in the cloud context)
  • Management and analysis of risks (cloud-specific)
  • Cloud onboarding process
  • Operationalization of C5 customer obligations in the ISMS
  • Implementation of C3A requirements in existing cloud implementations
  • Integration of the C5 attestation into the organization’s own risk assessment and ICS
  • Auditing and compliance
  • Use of tools from a strategic perspective (compliance and security consoles of the major providers)
    
    
• Technical requirements and operational management of Cloud Security
  • Typical architecture of a cloud or multi-cloud environment
  • Data security and data architecture
  • Zero Trust
  • Design and operation of secure cloud applications
  • Identity and Access Management
  • Technical implementation of C3A requirements: BYOK/HYOK, key management, Confidential Computing, data localization, logging sovereignty
  • Configuration hardening according to C5 controls (OPS, IDM, KRY, BCM, RB, KOS)
  • Monitoring Cloud Security (monitoring, incidents, forensics)
  • Evidence provision to auditors – combined evidence for 27017, C5 and C3A
  • Use of tools from a tactical and operational perspective
    
    
• Discussion and summary

Objectives:

We provide you with comprehensive knowledge for the planning, implementation, monitoring and improvement of cloud information security in the context of recognized cloud security frameworks. In this intensive training, participants acquire in-depth knowledge of the necessary steps for compliant and secure cloud operation.

The following topics are covered for the secure and compliant adoption of cloud services:

• Suitable frameworks, norms and standards.
• Security architecture, Zero Trust, IAM and data security for cloud infrastructures and their service models.
• The Shared Responsibility Model with regard to security.
• Implementation of the customer responsibilities from BSI™™ C5 and the requirements from BSI™™ C3A in the ISMS – from control selection and technical configuration to evidence management.
• Mapping of the controls from ISO/IEC 27017/27018, C5 and C3A to concrete implementation measures.
• Encryption concepts and securing the various service models.
• A pragmatic overview of possible solution approaches for hyperscalers and European cloud offerings.

The following norms and criteria frameworks are central to this course:

• ISO/IEC 27017 – Use and provision of cloud solutions
• ISO/IEC 27018 – Protection of personal data in public cloud solutions
• BSI™ C5 – auditable requirements for cloud providers and customer obligations
• BSI™ C3A – supplementary requirements for sovereign cloud usage

Key questions:

• What opportunities do the security frameworks and concepts offer, both for companies that want to use cloud services and for companies that provide cloud services?
• How can cloud security be extended or addressed within an ISMS using ISO/IEC 27017/18?
• What implementation options (design principles) can be used in the context of a security architecture?
• How are the requirements from ISO/IEC 27017/27018, BSI™ C5 and BSI™ C3A jointly operationalized in the ISMS – with which processes, measures and evidence?

Furthermore, the course CL130 provides a good basis for further advanced courses, such as:

1. SC135 Internal Auditor
2. SC150 ISMS Auditor/Lead Auditor (IRCA™ A17608)

Target audience:

• Information Security Officers
• CISOs
• Compliance Officers
• Cyber Security Architects
• Cloud Competence Center
• Data Protection Officers

Prerequisites:

• Function and structure of an ISMS according to ISO/IEC 27001.

Description:

Digitalization is progressing relentlessly, both in the private sector and in public authorities. To unlock the full potential of digitalization, there is no way around the cloud. But how can an appropriate level of security be achieved when using the cloud?

While the course CL120 Cloud Compliance – Standards, Security Requirements, Solution Approaches focuses on aspects that must be considered before using cloud services (such as regulatory and legal requirements regarding contract design, information security and data protection), the workshop CL130 Cloud Information Security in accordance with ISO/IEC 27017/27018, BSI™ C5 and C3A builds on this and focuses on the secure adoption and use of cloud services, i.e. the concrete implementation of these requirements. Requirements from BSI™ C5 and C3A are explored in greater depth and broken down into concrete implementation measures.

In this three-day workshop, participants receive a solid overview of the options for addressing cloud services in an ISMS and guidance on secure cloud architecture and implementation.