|
Article 6
|
(Cloud service audit)
- With regard to cloud service outsourcing operation, an organization shall have the ultimate responsibility for supervision of cloud service provider by performing periodic audits on cloud service provider. It is advised to have plans, according to risk-based approach, for audit frequency, what should be audited, time and method of audit. Where necessary, a third-party professional may be appointed to assist in the supervision. The industry-specific directions for operations outsourcing shall also be complied with.
- An organization shall ensure it, competent authority, industry association and its appointed person may access information or reports on the operation of the cloud service provider, including audit reports on client information and relevant systems, and perform audits.
- For cloud outsourcing operations involving materiality, it is advised the key audits on cloud services shall include:
- Physical security control and management mechanism of the server room enabling cloud services.
- Important systems and control links relating to operation by cloud service provider.
- Contents of reports provided by cloud service provider during due diligence.
- Data deletion and disaster recovery process on the cloud platform.
- The cloud service provider’s business continuity control measures.
- Appropriateness of implementation of cloud service operation, and compliance with the relevant international information security standards and privacy protection standards.
- Improvements by cloud service provider based on the audit results shall be followed up on a continuous basis to ensure it takes proper and timely alternatives.
|