An organization wants to detect its hidden cloud infrastructure by auditing its cloud environment and resources such that it shuts down unused/unwanted workloads, saves money, minimizes security risks, and optimizes its cloud inventory. In this scenario, which standard is applicable for cloud security auditing that enables the management of customer data?

An organization wants to detect its hidden cloud infrastructure by auditing its cloud environment and resources such that it shuts down unused/unwanted workloads, saves money, minimizes security risks, and optimizes its cloud inventory. In this scenario, which standard is applicable for cloud security auditing that enables the management of customer data?
A . Cloud Security Alliance
B . ISO 27001 & 27002
C . SOC2
D . NIST SP800-53 rev 4

View Answer

Answer: B

Explanation:

ISO 27001 & 27002 standards are applicable for cloud security auditing that enables the management of customer data. These standards provide a framework for information security management practices and controls within the context of the organization’s information risk management processes.

ISO 27001: This is an international standard on how to manage information security. It provides requirements for an information security management system (ISMS) and is designed to ensure the selection of adequate and proportionate security controls.

ISO 27002: This standard supplements ISO 27001 by providing a reference set of generic information security controls including best practices in information security.

Auditing and Management: Both standards include guidelines and principles for initiating, implementing, maintaining, and improving information security management within an organization, which is essential for auditing and managing customer data.

Risk Assessment: They emphasize the importance of assessing IT risks as part of the audit process, ensuring that any hidden infrastructure or unused workloads are identified and managed appropriately.

Reference: ISO 27001 & 27002 standards are recognized globally and are often used as a benchmark for assessing and auditing information security management systems, making them suitable for organizations looking to optimize their cloud inventory and manage customer data securely12.