JIS Q 27017:2016 情報技術―セキュリティ技術―ＪＩＳ　Ｑ　２７００２に基づくクラウドサービスのための情報セキュリティ管理策の実践の規範 | ページ 9

38
Q 27017 : 2016 (ISO/IEC 27017 : 2015)
                                          附属書B
                                          (参考)
 クラウドコンピューティングの情報セキュリティリスクに関する参考文献
  この規格で提供する情報セキュリティ管理策の適切な利用は,組織の情報セキュリティリスクアセスメ
ント及び対応に依存する。これらは重要な主題であるが,この規格は情報セキュリティリスクアセスメン
ト及び対応の取組みに焦点を当てたものではない。次のリストは,クラウドサービスの提供及び利用にお
けるリスク源及びリスクの説明を含む参考文献のリストである。リスク源及びリスクはサービスの種類及
び性質並びにクラウドコンピューティングの新技術に応じて変化することに留意することが望ましい。こ
の規格の利用者は,必要に応じ,各文献の最新版を参照することが望ましい。
Recommendation ITU-T X.1601 (2014),Security framework for cloud computing.
Australian Government Information Management Office 2013,Summary of Checkpoints in: Privacy and Cloud
Computing for Australian Government Agencies, Better Practice Guide, Version 1.1, February, pg. 8.
http://www.finance.gov.au/files/2013/02/privacy-and-cloud-computing-for-australian-government-agencies-v1.1.pdf
Australian Government Cyber Security Centre 2015,Cloud Computing Security for Tenants−April.
http://www.asd.gov.au/publications/protect/CloudComputingSecurityforTenants.pdf
Australian Government Cyber Security Centre 2015, Cloud Computing Security for Cloud Service Providers−April.
http://www.asd.gov.au/publications/protect/CloudComputingSecurityforCloudServiceProviders.pdf
Cloud Security Alliance 2014, Cloud Controls Matrix−January.
ENISA 2009,Cloud Computing Security Risk Assessment−November.
ENISA 2009,Cloud Computing Information Assurance Framework−November.
Hong Kong OGCIO 2013,Security & Privacy Checklist for Cloud Service Providers in Handling Personal
Identifiable Information in Cloud Platforms−April.
Hong Kong OGCIO 2013,Security Checklists for Cloud Service Consumers−January.
ISACA 2012,Security Considerations for Cloud Computing−July.
NIST, SP 800-144 2011,Guidelines on Security and Privacy in Public Cloud Computing−December.
NIST, SP 800-146 2012,Cloud Computing Synopsis and Recommendations−May.
SPRING Singapore 2012,Annex A: Virtualisation Security Risk Assessment of Singapore Technical Reference
30:2012 Technical Reference for virtualisation security for servers−March.

――――― [JIS Q 27017 pdf 41] ―――――

                                                                                             39
                                                              Q 27017 : 2016 (ISO/IEC 27017 : 2015)
SPRING Singapore 2012,Annex A: Checklist of security and service level considerations when reviewing SaaS of
Singapore Technical Reference 31:2012 Technical Reference for security and service level guidelines for the usage of
public cloud computing services−March.
SPRING Singapore 2013,Annex A: Cloud Service Provider Disclosure of Singapore Standard SS 584:2013
Specification for Multi-Tiered Cloud Computing Security−August.
SPRING Singapore 2012,Annex B: Checklist of security and service level considerations when reviewing IaaS of
Singapore Technical Reference 31:2012 Technical Reference for security and service level guidelines for the usage of
public cloud computing services−March.
SPRING Singapore 2013,Singapore Standard SS 584:2013 Specification for Multi-Tiered Cloud Computing Security
−August.
SPRING Singapore 2012,Singapore Technical Reference 30:2012 Technical Reference for virtualisation security for
servers−March.
SPRING Singapore 2012,Singapore Technical Reference 31:2012 Technical Reference for security and service level
guidelines for the usage of public cloud computing services−March.
US Government FedRAMP PMO 2014,FedRAMP Security Controls Baseline Version 2.0−June.

――――― [JIS Q 27017 pdf 42] ―――――

40
Q 27017 : 2016 (ISO/IEC 27017 : 2015)
                                          参考文献
[1] Recommendation ITU-T X.805 (2003),Security architecture for systems providing end-to-end communications.
[2] ISO/IEC 17203:2011,Information technology−Open Virtualization Format (OVF)   pecification
[3] JIS Q 27001 情報技術−セキュリティ技術−情報セキュリティマネジメントシステム−要求事項
      注記 対応国際規格 : ISO/IEC 27001,Information technology−Security techniques−Information
            security management systems−Requirements
[4] ISO/IEC 27005:2011,Information technology−Security techniques−Information security risk management
[5] ISO/IEC 27018:2014,Information technology−Security techniques−Code of practice for protection of
    personally identifiable information (PII)   n public clouds acting as PII processors
[6] ISO/IEC 27036-1:2014,Information technology−Security techniques−Information security for supplier
    relationships−Part 1: Overview and concepts
[7] ISO/IEC 27036-2:2014,Information technology−Security techniques−Information security for supplier
    relationships−Part 2: Requirements
[8] ISO/IEC 27036-3:2013,Information technology−Security techniques−Information security for supplier
    relationships−Part 3: Guidelines for information and communication technology supply chain security
[9] ISO/IEC CD 27036-4,Information technology−Security techniques−Information security for supplier
    relationships−Part 4: Guidelines for security of cloud services−(Under development)
[10] ISO/IEC 27040:2015,Information technology−Security techniques−Storage security
[11] ISO 19440:2007,Enterprise integration−Constructs for enterprise modelling
[12] JIS Q 31000:2010 リスクマネジメント−原則及び指針
      注記 対応国際規格 : ISO 31000:2009,Risk management−Principles and guidelines
[13] NIST, SP 800-145 2011,The NIST Definition of Cloud Computing.
[14] NIST 2009,Effectively and Securely Using the Cloud Computing Paradigm.
[15] ENISA 2009,Cloud Computing Benefits, risks and recommendations for information security.
[16] Cloud Security Alliance,Security Guidance for Critical Areas of Focus in Cloud Computing V3.0.
[17] Cloud Security Alliance,Top Threats to Cloud Computing V1.0.
[18] Cloud Security Alliance,Domain 12: Guidance for Identity & Access Management V2.1.
[19] ISACA,Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives.
[20] ISACA,Cloud Computing Management Audit/Assurance Program.