| Cloud Access Audit Services

Cloud Access Audit Services

ParkinsonHowe conduct a review of the current state of of an organisations information security and risk environment to identify any shortfalls or gaps in compliance to ISO/IEC 27001:2013 and ISO/IEC 27002:2013.

The review will be conducted over an agreed period, and will take the form of interviews with the key stakeholders. During the course of these interviews assessments of the current policies, practices and procedures as they apply to the organisations information security and risk environment will be collated into the Statement of Applicability assessment report.

The purpose of this report will be to give both a graphical and written representation of the level of adherence, and the gaps that an organization faces. The assessment tool will also provide a benchmarking score, in which the organisation will be scored against an industry average.

The applicability assessment process will also capture details, which are different aspects of Oracle’s controls: Control Maturity, Control Automation, Control Capability as well as completeness by functional grouping key areas to be reported on will be:

  • Information Security Management
  • Information Security Policies
  • Information Security Risk Assessment
  • Information Security Incident Management, Response & Recovery
  • Threat Detection
  • Asset Management
  • Supplier Relationships
  • System Acquisition, Development and Maintenance
The following standards will be used as the basis for the work and report:

  • ISO/IEC 27001:2013 - Information technology -- Security techniques -- Information security management systems -- Requirements
  • ISO/IEC 27002:2013 - Information technology -- Security techniques -- Code of practice for information security controls
  • ISO/IEC 27035-1:2016 - Information technology -- Security techniques -- Information security incident management – Principles of incident management - Part 1
  • ISO/IEC 27035-2:2016 - Information technology - Security techniques - Information security incident management - Guidelines to plan and prepare for incident response - Part 2
  • ISO 31000:2009 - Risk management -- Principles and guidelines Where applicable other standards may be referenced within the report

  • ISO/IEC 27017:2015 – Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
  • ISO/IEC 27018:2014 – Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • Payment Card Industry Data Security Standard
  • National Institute of Standards and Technology (NIST) frameworks