Laboratory for Internet and Innovative Technologies

Cloud service providers (CSPs) and cloud customers (CCs) are not only exposed to existing security risks but to new risks introduced by clouds, like multi-tenancy, virtualization and data outsourcing. Several international and industrial standards target information security and their conformity with cloud computing security challenges. We give an overview of these standards and evaluate their completeness. As a result we propose a new extension to the ISO 27001:2005 standard including a new control objective about virtualization applicable for cloud systems. We also define a new quantitative metric and evaluate the importance of existing ISO 27001:2005 control objectives if customer services are hosted on-premise or in cloud. Our conclusion is that obtaining the ISO 27001:2005 certificate is not enough for CSP and CC information security systems, especially in business continuity detriment that cloud computing produces and propose new solutions that mitigate the risks.


Sasko Ristov, Marjan Gusev, and Magdalena Kostoska


Information Security Management, Security Assessment, Security Standards, Virtualization

Full Paper

The paper is published in MIPRO 2012, Proceedings of 35th Int. Convention on ICT, Opatija, Croatia, IEEE Conference proceedings, ISBN 978-1-4673-2577-6, 2012