Content library
Cloud service management
Customer-oriented description of personal data return, transfer and disposal processes for offered cloud services

Other tasks from the same security theme

Task name
Priority
Status
Theme
Policy
Other requirements
Ensuring sufficient client data segregation and protection in external IT services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
1
requirements

Examples of other requirements this task affects

5.3.4: Information protection in external IT services
TISAX
See all related requirements and other information from tasks own page.
Go to >
Ensuring sufficient client data segregation and protection in external IT services
1. Task description

The organization must have a procedure to make sure the external service has effective segregation of environments (service provider's clients) to prevent unauthorized access to our environment.

The providers concept for segregation should be documented and adapted to changes. The following should be considered:

  • Separation of data
  • Functions
  • Customer-specific software
  • Operating systems
  • Storage systems
  • Networking

There should also be a risk assessment for operating external software within shared environment.

Measures for data transfer of services in accordance with information security goals
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
1
requirements

Examples of other requirements this task affects

PI1.4: Procedures for availability accodring to objectives
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Measures for data transfer of services in accordance with information security goals
1. Task description

The organization must implement practices and procedures so that the information coming out of the services is complete and timely. The procedures must take into account:

  • Protection of outgoing information, when stored or transferred, from theft, destruction, modification or other events affecting the integrity of the information
  • Outcoming information is shared only with intended targets< /li>
  • Logging of outgoing data
Measures for the implementation of information security objectives in the offered services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
1
requirements

Examples of other requirements this task affects

PI1.3: Procedures for system processing to produce results accodring to objectives
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Measures for the implementation of information security objectives in the offered services
1. Task description

The organization must establish controls to accomplish information security objectives in offered services. Controls must take into account:

  • Data processing requirements
  • Necessary data processing
  • Detecting and correcting production errors
  • Data processing log
  • li>
  • Completeness, accuracy and timeliness of data entry
Ensuring the completeness and accuracy of the information entering the systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
1
requirements

Examples of other requirements this task affects

PI1.2: Implementation of policies and procedures for system inputs
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Ensuring the completeness and accuracy of the information entering the systems
1. Task description

The organization must set up control measures to ensure the completeness and accuracy of the information entering the systems. For this purpose, the following should be defined:

  • The necessary characteristics of future data
  • Evaluation of future data sources
  • Future data logging and log maintenance
Defining the information needed to maintain the services or products offered
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
1
requirements

Examples of other requirements this task affects

PI1.1: Definitions of processed data
SOC 2
See all related requirements and other information from tasks own page.
Go to >
Defining the information needed to maintain the services or products offered
1. Task description

When data is delivered as part of a service or product or as part of a product or service-related reporting obligation, the definition of data must be available to data users.

The definition of data includes the following information:

  • The amount of events in the data
  • Type of information contained in each data element (e.g. field) (event to which the data field is related)
  • Sources of information
  • Data elements (e.g. fields) unit(s) of measurement
  • Precision of measurement
  • Uncertainty or confidence interval inherent in each data element
  • Date or time period of the event associated with the data
  • Variables (in addition to the date/period) that can be used to define the inclusion of items in data elements
Assisting customer in fulfilling data subject requests
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
2
requirements

Examples of other requirements this task affects

A.8.3: Obligations to PII principals
ISO 27701
A.8.3.1: Obligations to PII principals
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Assisting customer in fulfilling data subject requests
1. Task description

The organization should make it possible for the customer to fulfill its requirements regarding data subjects.

Providing information for fulfilling customer obligations
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
1
requirements

Examples of other requirements this task affects

A.8.2.5: Customer obligations
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Providing information for fulfilling customer obligations
1. Task description

The organization should provide the customer with the necessary information so that the customer can demonstrate that it fulfills its obligations.

The role of the organization in critical infrastructure
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
4
requirements

Examples of other requirements this task affects

ID.BE-2: Place in critical infrastructure
NIST
71: Organisaation roolin tunnistaminen
Digiturvan kokonaiskuvapalvelu
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
The role of the organization in critical infrastructure
1. Task description

The organization's own place and role in the critical infrastructure is defined and communicated to the necessary parties.

It is important to recognize whether society is more broadly dependent on the services produced by the organization. Such criticality of the operation can increase the risks of, for example, hybrid and information influence and emphasizes the need to be prepared for them.

The role of the organization in the supply chain
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
3
requirements

Examples of other requirements this task affects

ID.BE-1: Role in supply chain
NIST
ID.BE-1: The organization’s role in the supply chain is identified and communicated.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
The role of the organization in the supply chain
1. Task description

The organization's own role in the supply chain is defined and communicated to the necessary partners.

Description of administrative data flows
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
3
requirements

Examples of other requirements this task affects

ID.AM-3: Communication and data flows
NIST
ID.AM-3: Organizational communication and data flows are mapped.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Description of administrative data flows
1. Task description

The organization must describe the administrative flows of communications. The description of administrative data flows complements the description of integrations between systems.

IPR complaint process in relation to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
3
requirements

Examples of other requirements this task affects

18: Compliance
ISO 27017
18.1: Compliance with legal and contractual requirements
ISO 27017
18.1.2: Intellectual property rights
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
IPR complaint process in relation to offered cloud services
1. Task description

The cloud service provider should establish a process for responding to intellectual property rights complaints.

Secure disposal of cloud service specific resources
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
6
requirements

Examples of other requirements this task affects

PR.DS-3: Asset management
NIST
11: Physical and environmental security
ISO 27017
11.2: Equipment
ISO 27017
11.2.7: Secure disposal or re-use of equipment
ISO 27017
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Secure disposal of cloud service specific resources
1. Task description

When offering cloud services, the organisation must have procedures in place for safe disposal or potential reuse of resources utilized in service providing, such as:

  • Equipment
  • Devices
  • Data storage
  • Files
  • Memory

When utilizing cloud services, the customer organisation should ensure secure disposal by requesting confirmation of these procedures from the cloud service provider.

Documentation of data owned by cloud service customers
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
1
requirements

Examples of other requirements this task affects

8.1.1: Inventory of assets
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Documentation of data owned by cloud service customers
1. Task description

When offering cloud services for customers, the organisation should have identified and listed data related to cloud services the customer controls. These are referred to external data stores.

Organisation also needs to inventory derived data that is created through offering the cloud service. These can be controlled by the organisation and listed on system documentation instead of external data stores.

Clear communication of organisation and data storage location in relation to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
2
requirements

Examples of other requirements this task affects

6.1: Internal organization
ISO 27017
6.1.3: Contact with authorities
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Clear communication of organisation and data storage location in relation to offered cloud services
1. Task description

When offering cloud services, the organisation must clearly and actively inform the customer of the organisation’s geographic location and the countries where the customer's data is stored.

This information can help the customer e.g. in determining the relevant supervisory authorities and jurisdictions when utilizing the cloud service.

Detailed descriptions of implemented security measures on contracts related to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
4
requirements

Examples of other requirements this task affects

A.11.11: Contract measures
ISO 27018
15: Supplier relationships
ISO 27017
15.1: Information security in supplier relationships
ISO 27017
15.1.2: Addressing security within supplier agreements
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Detailed descriptions of implemented security measures on contracts related to offered cloud services
1. Task description

When an organization offers cloud services for its customers, the contract between the provider and customer should clearly specify the technical and organizational measures implemented to ensure information security.

The contract must also address that the data is not processed for any other purpose than according to instructions of the controller.

When offering cloud services, the provider should be transparent about its information security measures during the process of entering into a contract. However, it is ultimately the customer’s responsibility to ensure that implemented measures by the provider meet its obligations.

Customer-oriented description of personal data return, transfer and disposal processes for offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
2
requirements

Examples of other requirements this task affects

A.10.3: PII return, transfer and disposal
ISO 27018
A.8.4.2: Return, transfer, or disposal of PII
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Customer-oriented description of personal data return, transfer and disposal processes for offered cloud services
1. Task description

Personal data related to the offered cloud services will need to be disposed properly and obeying storage limitation principles. Disposal can involve returning the data to the customer by request, transferring it to another company (e.g. as a result of a merger) or either securely destroying, anonymizing or archiving it.

Organisation should have a clear written description about the retention period and the return, transfer and disposal mechanisms of personal data. This description should be made available to the customer.

By using this description the customer should be able to understand how the organisation will ensure the personal data processed under a contract is erased (also by any of its sub-contractors) from all storage locations (including e.g. backup purposes) as soon as they are no longer necessary for the customer.

Data subject’s right facilitation through offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
2
requirements

Examples of other requirements this task affects

A.2: Consent and choice
ISO 27018
A.2.1: Obligation to co-operate regarding PII principals’ rights
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Data subject’s right facilitation through offered cloud services
1. Task description

Cloud service customer often acts as the personal data controller and is responsible for fulfilling the data subject rights e.g. to access, correction or deletion of their personal data. Cloud service provider should provide the customer with the necessary means to enable this.

Organization has defined measures how data controllers on offered cloud services are assisted in fulfilling data subject rights. This may include e.g. cloud service features or manual support actions.

Relevant information and possible technical measures related to facilitation should be specified in the relevant contract.

Documented procedures and supervision for critical admin operations on offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
2
requirements

Examples of other requirements this task affects

CLD 12.1: Operational procedures and responsibilities
ISO 27017
CLD 12.1.5: Administrator's operational security
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Documented procedures and supervision for critical admin operations on offered cloud services
1. Task description

Critical admin operations mean operations where a failure can cause unrecoverable damage to assets in the cloud computing environment.

Critical admin operations may include e.g. changes related to virtualized devices (e.g. servers, networks, storage), termination procedures, backup and restoration.

For all offered cloud services the critical admin operations are documented. Also the procedures for carrying out critical admin operations are documented beforehand in needed detail.

Whenever a critical admin operation is carried out, a supervisor named in the documentation monitors the operation.

In relation to offered cloud services, the cloud service provider must provide documentation about critical admin operations and procedures if required by customers.

Segregation of customer’s virtual environments in relation to offered cloud services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
1
requirements

Examples of other requirements this task affects

CLD 9.5.1: Segregation in virtual computing environments
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Segregation of customer’s virtual environments in relation to offered cloud services
1. Task description

When offering cloud services, the cloud service customer’s virtual environment should be separated and protected from other customers and unauthorized persons.

To ensure this, the organisation should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network.

Segregation should also ensure the separation of the cloud service provider's internal administration from resources used by cloud service customers.

Documenting security-related responsibilities for offered cloud services and utilized data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
8
requirements

Examples of other requirements this task affects

6: Organization of information security
ISO 27017
CLD 6.3: Relationship between cloud service customer and cloud service provider
ISO 27017
CLD 6.3.1: Shared roles and responsibilities within a cloud computing environment
ISO 27017
6.1: Internal organization
ISO 27017
6.1.3: Contact with authorities
ISO 27017
See all related requirements and other information from tasks own page.
Go to >
Documenting security-related responsibilities for offered cloud services and utilized data systems
1. Task description

When utilizing or offering cloud services, both service provider and customer can have security responsibilities. Service provider may be responsible for technical cyber security but e.g. customer for access management and providing user guidelines for secure usage.

Responsibilities for shared information security roles towards offered cloud services and utilizing cloud-based data systems must be clearly defined and documented by both the cloud service customer and provider.

Use of a software firewall to protect provided digital services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
4
requirements

Examples of other requirements this task affects

2.5.6: Protect particularly critical services with their own data flow
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Use of a software firewall to protect provided digital services
1. Task description

All servers in the organization should be protected by a properly configured software firewall that monitors traffic, accepts compliant traffic, and monitors users.

WAF (web application firewall) should be protecting offered digital services from attacks (e.g. SQL injection).

Listing offered digital services and naming owners
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
17
requirements

Examples of other requirements this task affects

6: Organization of information security
ISO 27017
CLD 6.3: Relationship between cloud service customer and cloud service provider
ISO 27017
CLD 6.3.1: Shared roles and responsibilities within a cloud computing environment
ISO 27017
A.2: Consent and choice
ISO 27018
A.2.1: Obligation to co-operate regarding PII principals’ rights
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Listing offered digital services and naming owners
1. Task description

The organization must maintain a list of digital services provided and the owners designated for them. The owner is responsible for completing the information in the service and for any other security measures that are closely related to the service.

The documentation related to the digital service includes e.g. the following information:

  • The type of digital service offered, the service category and the purpose of use
  • Data controller and related processing agreements
  • Key partners in the service supply chain and the distribution of security responsibilities (discussed in more detail in a separate task)
Terms and conditions related to the offered digital services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
2
requirements

Examples of other requirements this task affects

A.3.1: Public cloud PII processor’s purpose
ISO 27018
See all related requirements and other information from tasks own page.
Go to >
Terms and conditions related to the offered digital services
1. Task description

The terms and conditions related to the digital services provided by the organization have been mapped and documented. The terms of the contract shall include at least the following:

  • Nature and extent of the service provided
  • Cyber security requirements(including the Shared Security Responsibility Model)
  • Description of the change management procedure
  • Stored logs and their monitoring
  • Procedures for fault management and reporting
  • Right to audit and third party evaluation
  • Compatibility
  • Privacy requirements and descriptions of the processing of personal data
  • Termination of service
Documenting partners who are related to offered digital services supply chain
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
10
requirements

Examples of other requirements this task affects

A.8: Openness, transparency and notice
ISO 27018
A.8.1: Disclosure of sub-contracted PII processing
ISO 27018
15.1.3: Information and communication technology supply chain
ISO 27017
A.8.5.6: Disclosure of subcontractors used to process PII
ISO 27701
A.8.5.7: Engagement of subcontractor to process PII
ISO 27701
See all related requirements and other information from tasks own page.
Go to >
Documenting partners who are related to offered digital services supply chain
1. Task description

The organization must clearly document all the digital services it provides to its customers according to the cloud service model.

The documentation for digital services must include the partners involved in the service supply chain. The partner listing must include supporting services (such as IaaS, such as AWS or MS Azure), other partners included in the main service provider's supply chain (such as outsourced development), and other services that complement the actual service (including IDaaS, CDN).

In the future, supply chain documentation can be used to review a more detailed division of safety responsibilities.

Regular security assessment of partners in the supply chain of provided digital services
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Cloud service management
12
requirements

Examples of other requirements this task affects

ID.SC-3: Contracts with suppliers and third-party partners
NIST
21.2.d: Supply chain security
NIS2
9.4 §: Toimitusketjun hallinta ja valvonta
Kyberturvallisuuslaki
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
CyberFundamentals
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Regular security assessment of partners in the supply chain of provided digital services
1. Task description

The organization shall define a security assessment and conduct it on a regular basis for the partners in the supply chain of the digital services provided.

This should ensure the compliance of the partners affecting the security of the services provided and thus the fulfillment of the terms of the contract.

Universal cyber compliance language model: Comply with confidence and least effort

In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.

Security frameworks tend to share the common core. All frameworks cover basic topics like risk management, backup, malware, personnel awareness or access management in their respective sections.
Cyberday’s universal cyber security language technology creates you a single security plan and ensures you implement the common parts of frameworks just once. You focus on implementing your plan, we automate the compliance part - for current and upcoming frameworks.
Start your free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.