Back

Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties.


CONTROL ID
13147
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Manage cloud services., CC ID: 13144

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When using a cloud service for a specified system, it is necessary to understand the control target cloud bases (Notes) and countries or regions in which data will be stored when selecting cloud service providers and while using their services as well as to pay attention to applicable domestic and f… (C24.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • In service level agreements, their process documentation or comparable documentation, the cloud provider provides comprehensible and transparent specifications regarding its jurisdiction as well as with respect to data storage, processing and backup locations, which allow an expert third party to as… (Section 4 UP-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The cloud service provider should inform the cloud service customer of the legal jurisdictions governing the cloud service. The cloud service provider should identify its own relevant legal requirements (e.g., regarding encryption to protect personally identifiable information (PII)) This informatio… (§ 18.1.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)