Specifies supplemental guidance for a management system that is intended to bring provision of information security Cloud Services under management control through specific requirements. Organizations that meet the requirements are certified by an accredited agency. By using a structured approach to defining and meeting the security requirements and a formal approach to risk management, organizations are able to minimize impacts to their information and assets for provision of Cloud Services, and give confidence to interested parties that security requirements are in place and being met.