A Definitive Guide To ISO/IEC 27017 And ISO/IEC 27018 Standards



Cloud Services offer flexibility and scalability. Adapting to cloud services is quite challenging and it raises security concerns. Being ISO 27001 certified, if a particular company is utilizing cloud-based services, they should check the ISO standards for cloud computing.


Here are the two standards that should be in focus, especially for the cloud service providers:


ISO/IEC 27017:2015 – Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services ISO/IEC 27018:2014 – Information technology — Security techniques — Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors


ISO/IEC 27017 Standard


ISO 27017 standard is higher than ISO 27001 which addresses the concerns that are related to customer identification, separation of the various servers and virtual assets, and gives you clarity on roles and responsibilities that are distributed and the usage of cryptography and many other controls.


This standard mainly targets cloud service providers and cloud service customers. The controls and the implementation are mentioned individually for both when and where it is necessary. This is mainly helping organisations to understand and implement the controls for the company according to the cloud services usage.

Here are the seven new controls that are introduced in these standards and the following are the key areas:

· Roles and responsibilities that are shared within the cloud computing environment

· Management of in and out of the cloud service customer assets during the contract terminations

· Safeguarding and separation of the customer’s virtual environment from other customers

· Hardening the requirements for virtual transactions to meet the business needs

· Administrative operations controlling in the cloud-computing environment

· Enabling customers to monitor relevant activities within the cloud-computing environment

· Alignment with the virtual and physical network security and its management


ISO/IEC 27017 is Designed for Cloud Service Providers and Cloud Customers


While ISO/IEC 27017 is highly relevant to cloud service providers, it is also a recommended standard for cloud service customers that entrust their data to cloud service providers. For full protection, it takes both parties—the customers and the service providers—to protect the movement and processing of data between both entities. Many government cybersecurity agencies, including the UK’s National Cyber Security Centre, recommend both the customer and the service provider implement specific protections to safeguard the movement and processing of data in and out of the cloud. It takes both organisations working together to comprehensively protect data.


Benefits of ISO/IEC 27017 Certification


As data breaches span weekly headlines, security concerns have never been higher. How can you know if a cloud service provider can be trusted to safeguard data stored and processed on your behalf? Industry experts agree that ISO/IEC 27017 certification provides additional safeguards for data transmitted to and processed within the cloud that is not adequately addressed with ISO/IEC 27001. The cloud service provider that implements ISO/IEC 27017 will see many benefits, including:


· Reduction of risks that would otherwise lurk in the shadows of an ISO/IEC 27001 organization.

· Competitive advantage in the cloud services industry compared to others who do not implement the additional safeguards to protect data in the cloud.

· Cultivating trust that rises from greater assurances that data is protected in transit, in storage and in processing.

· Protection of reputation that otherwise arises when data breaches damage brands because trust has been damaged.

· Protection from financial loss that might otherwise impact the business that is victim to breach of confidentiality or availability, resulting in customer attrition.

· Protection from regulatory fines imposed by supervisory authorities that find insufficient protections in place for the type and kind of services marketed to customers.


The ISO/IEC 270017 also make a organisation aware of what they should look for while opting for their cloud host. By implementing this standard, organisations can make decisions quickly and adopt cloud services. It also helps companies to protect or safeguard themselves from lawsuits that may disrupt the business and damage their brand reputation.


ISO/IEC 2018


This standard is considered as a superior standard to 27001 and it safeguards the personal identity information in the cloud. When an organisation owns, control or processing personal data in the cloud, it needs to abide by the additional regulations. These additional regulations can be imposed by geographic standards like for example, EU General Data Protection Regulation, HIPAA, etc. to deal with these additional concerns that are associated with the procession of PII using cloud computing the 270018 was created as an ISO standard.


Cloud service providers processing personally identifiable information (PII) under contract must operate services in ways permitting the customer and the service provider to meet the requirements of applicable legislation covering the protection of PII. The requirements between the parties (the service provider and the customer) are divided between the parties (the PII controller and PII processor) and vary from jurisdiction to jurisdiction. Working together, ISO 27017 and ISO 27018 provide a framework to identify and record jurisdictional requirements divided between the parties, ensuring obligations falling on PII controllers flow down to PII processors are documented, governed by a system of policies and procedures that align to these standards, audited by a third party to measure compliance. Further, these standards are especially helpful for cloud service providers that operate in multinational markets.


Additional extended controls from ISO 27018:2019 Annex A (normative) include 12-families of added controls, including these domains:

· Consent and choice

· Purpose legitimacy and specification

· Collection limitation

· Data minimization

· Use, retention, and disclosure limitation

· Accuracy and quality

· Openness, transparency, and notice

· Individual participation and access

· Accountability

· Information security

· Privacy compliance

These are aligned with ISO/IEC 29100 nomenclature and guidance and have applicability to both PII controllers as well as PII processors.


Like ISO 27017, ISO 27018 also spans 18 sections with the following objectives:



· Helps the public cloud service providers to comply with applicable obligations when acting as a PII processor, whether such obligations fall on the PII processor directly or through a contract.

· Enables the public cloud PII processor to be transparent in relevant matters so that cloud service customers can select well-governed cloud-based PII processing services.

· Assists the cloud service customer and public cloud PII processors in entering into contractual agreements when PII is processed in the cloud.

· Provides cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multiparty, virtualized server (cloud) environment can be impractical technically and can increase risks to those physical and logical network security controls in place.

17 views0 comments