CL130: Cloud Information Security according to ISO/IEC 27017/27018

Agenda:

• Motivation and fundamentals
  • Cloud computing fundamentals
    • Concepts
    • Reference architecture
    • Shared responsibility model
  • Cloud security
    • Threats and attack vectors
    • Security concepts
  • Cloud security services
    • Azure
    • Google™ Cloud Platform (GCP)
    • AWS™
      
      
• Important standards/norms, certificates and best practices
  • Standards and norms
    • ISO/IEC 27001
    • ISO/IEC 27017/18
    • BSI™ C5
    • NIST SP 800-xx
    • NIST cyber security framework
    • CIS
    • ...
  • Personal certifications
    • CSA CCSK
    • ISC2™ CCSP
  • Product certifications
    • Azure security engineer
    • Google™ cloud security engineer
    • AWS™ certified security
      
      
• Organizational requirements and recommendations for cloud security
  • Management (ISMS, security controls, DR, BCM)
    • Implementation planning
    • Implementation rollout
    • Implementation review and adjustment
  • Risk management and analysis
  • Cloud onboarding process
  • Reporting
  • Auditing and compliance
  • Strategic tool usage
    • Azure: Compliance manager
    • Google™ Cloud: Security command center
    • AWS™: AWS™ security hub
      
      
• Technical requirements and operational cloud security operations
  • Typical cloud and multi-cloud architecture
  • Data security and architecture
  • Zero trust
  • Design and operations of secure cloud applications
  • Identity and access management
  • Cloud security monitoring (monitoring, incidents, forensics)
  • Tactical and operational tool usage
    
    
• Discussion and summary

Objectives:

We provide you with comprehensive knowledge for the planning, implementation, monitoring, and improvement of Cloud Information Security in the context of recognized Cloud Security Frameworks. In this intensive training, participants acquire in-depth knowledge of the necessary steps for compliant and secure cloud operations.

For the secure and compliant introduction of cloud services, the following topics are covered:

• Appropriate frameworks, norms, and standards.
• Security architecture and policies for cloud infrastructures and their criteria to ensure that data and resources are adequately protected.
• The Shared Responsibility Model in relation to security.
• New security models in the cloud such as Zero Trust and their possible implementation.
• Identity and access management to ensure that only authorized users can access cloud resources.
• Data and application security: encryption concepts and securing the various service models.
• A pragmatic overview of possible solution approaches with different providers (Azure, Google™ Cloud, Amazon Web Services).

Two standards in the ISO 27000 series have specifically focused on this topic:

• ISO/IEC 27017 addresses both the use of cloud solutions and the provision of cloud services.
• ISO/IEC 27018 relates to the protection of personal data in public cloud solutions.

Guiding questions:

1. What opportunities do the security frameworks and concepts offer for companies that want to use cloud services as well as for companies that offer cloud services?
2. How can cloud security be expanded or addressed within the framework of an ISMS with ISO/IEC 27017/18?
3. What implementation possibilities (design principles) can be used in the context of a security architecture?

Furthermore, the course CL130 provides a good basis for further advanced courses, such as:

1. SC135 Internal Auditor
2. SC150 ISMS Auditor/Lead Auditor (IRCA™ A17608)

Target audience:

• Information Security Officers
• CISOs
• Compliance Officers
• Cyber Security Architects
• Cloud Competence Center
• Data Protection Officers

Prerequisites:

Description:

Digitalization is advancing relentlessly, both in the private sector and in government agencies. To unlock the full potential of digitalization, there is no way around the cloud. But how can an adequate level of security be achieved when using the cloud?

While the course CL120 Cloud Compliance – Standards, Security Requirements, Solutions focuses on aspects that must be considered before using cloud services (such as regulatory and legal requirements regarding contract design, information security, and data protection), the workshop CL130 Cloud Information Security according to ISO/IEC 27017/27018 builds on this and is dedicated to the secure introduction and use of cloud services, i.e., the concrete implementation of these requirements. Topics already covered, such as BSI™-C5, are deepened and concretized in a practical manner.

Participants will receive in this three-day workshop a solid overview of the possibilities of handling cloud services within an ISMS and guidance on secure cloud architecture and implementation.