Guidance

Cloud Security Guidance: Risk Management

Updated 14 August 2014

This guidance was withdrawn on

This content has been moved to the CESG website: https://www.cesg.gov.uk/cloud-security-collection

© Crown copyright 2014

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cloud-security-guidance-risk-management/cloud-security-guidance-risk-management

Note: This publication is in BETA. Please send any feedback to the address platform@cesg.gsi.gov.uk.

This section of the Cloud Security Guidance provides advice on how to use the Cloud Security Principles as a basis for risk management decisions relating to use of cloud services.

The risks arising from the use of cloud services should be understood and adequately managed before these services are used to store or process sensitive information.

CESG recommend the following approach is used within an organisation’s existing risk management function.

1. Know your business requirements

Understand your business requirements for the cloud service, considering issues such as availability and accessibility. Form a risk appetite by identifying those risks that would be unacceptable to the organisation should they be realised.

2.Understand your information/application

Identify the information that will be processed, stored or transported by the cloud service. Understand the legal and regulatory implications; for example if personal data is to be stored or processed, then the Data Protection Act should be considered.

3.Determine important security principles

Having considered the business requirements, risk appetite, and the information which will be exposed to the service provider, determine which Cloud Security Principles are important, and what implementation options are acceptable to manage risks to your organisation’s information.

4.Understand how the principles are implemented

Find out how the cloud service under consideration claims to implement the security principles you’ve identified.

5.Understand the assurance offered

Can the service provider demonstrate that the principles have been implemented correctly? This may range from no assurance (other than a supplier’s assertion) through to formal assurance by an independent third party. Understand any risks that remain.

6.Identify additional mitigations you can apply

Consider any additional mitigations that your organisation (as a consumer of the cloud service) can apply to help reduce information risk.

7.Consider residual risks

Having worked through the above steps, decide whether any residual risks that remain are acceptable.

Back to top