International standards for Cloud security
Most organisations use Cloud storage or file sharing services in some capacity. Examples include Microsoft’s Office 365, SharePoint and OneDrive; Google Drive; Apple’s iCloud; and AWS (Amazon Web Services).
Ensuring the Cloud services you use are properly secured is critical – especially if you use them to process personal or sensitive information and must comply with data protection laws such as the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018.
However, those laws give little guidance on the level of security you should implement to secure the data you process.
The international standards ISO 27017 and ISO 27018 have been created to fill that gap.
Need help with Cloud security? Speak to an expert
For more information about ISO 27017 and ISO 27018, and help deciding which standard is best for you, speak to one of our experts today.
What is ISO 27017?
Part of the ISO 27000 family of information security standards, ISO/IEC 27017:2015 Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO27017) is the international standard that provides information security implementation guidance for public Cloud services.
It is designed to be applied alongside ISO/IEC 27001:2013 (ISO 27001), the international standard for an ISMS (information security management system), and its code of practice, ISO/IEC 27002:2013 (ISO 27002).
What does ISO 27017 contain?
ISO 27017 provides guidance on applying 37 of ISO 27001’s Annex A information security controls to Cloud environments.
It also provides seven additional controls that relate specifically to Cloud services and address:
- CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment
- CLD.8.1.5 Removal of cloud service customer assets
- CLD.9.5.1 Segregation in virtual computing environments
- CLD.9.5.2 Virtual machine hardening
- CLD.12.1.5 Administrator’s operational security
- CLD.12.4.5 Monitoring of Cloud services
- CLD.13.1.4 Alignment of security management for virtual and physical networks
Buy your copy of ISO 27017:2015
What is ISO 27018?
ISO/IEC 27018:2019 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors (ISO27018) sets out security controls to protect personal information processed in public Cloud computing environments.
Like ISO 27017, ISO 27018 is part of the ISO 27000 family and is designed to be implemented alongside ISO 27001 and ISO 27002 as part of an ISMS.
What does ISO 27018 contain?
ISO 27018 provides guidelines for Cloud service providers on selecting and implementing security controls based on ISO 27001 and ISO 27002.
These guidelines can also be used by data controllers, although it should be noted that controllers are subject to additional obligations that are not specified in the Standard.
Buy your copy of ISO 27018:2019
Using ISO 27017 and ISO 27018 with ISO 27001/27002
ISO 27001 sets out the specifications of an ISMS – a risk-based approach to information security that encompasses people, processes and technology.
Unlike ISO 27001, ISO 27017 and ISO 27018 are not management system standards, so you cannot attain certification to them. However, their controls can be adopted as part of an ISO 27001-compliant ISMS, and you can achieve independently verified certification to demonstrate your conformance to that standard.
If you need advice on expanding the scope of your ISMS to include Cloud environments, get in touch with our experts today.
Cloud security and GDPR compliance
Data sovereignty is the concept that digital data is subject to the laws of the country in which it is processed.
Whether your organisation uses or provides a Cloud service to process EU residents’ personal data, you must comply with the EU GDPR.
The Regulation calls for organisations to implement appropriate technical and organisational measures to secure the personal data they process, or that is processed on their behalf.
Learn more about data sovereignty and the Cloud
Cloud services and the NIS Regulations
If you are a Cloud service provider with 50 or more employees and an annual turnover of over €10 million (about £8.6 million), you are also obliged to comply with the NIS (Network and Information Systems) Regulations 2018.
Like GDPR compliance, this entails implementing and maintaining appropriate technical and organisational security measures. And, like the GDPR, the NIS Regulations offer little guidance on what is ‘appropriate’.
Learn more about NIS Regulations compliance for digital service providers
Which standard should you use? ISO 27001, ISO 27017 or ISO 27018?
With so many standards in the ISO 27000 series, it can be difficult to know which to apply to your particular circumstances.
For most organisations, ISO 27001 and ISO 27002 should provide enough guidance on a risk management approach to applying security controls.
Learn more about ISO 27001
ISO 27017 vs ISO 27018
If you need more specific guidance on securing your Cloud environments – whether because of the type of data you are processing or because you face a higher level of threat – then the information and additional controls found in ISO 27017 will suit your needs.
If you are a Cloud service provider, ISO 27018 is more likely to be the better fit as it takes regulatory requirements for protecting personal data into consideration.
If you are a data controller as defined by the GDPR and DPA 2018, you can use ISO 27018’s guidelines to help ensure that any Cloud service you use provides appropriate security.
Start your journey to ISO 27017 and/or ISO 27018 compliance with our Cloud Security Toolkit.
- Customisable templates, documents, policies and records covering topics including backup and restoration, compliance checking, information security planning and risk assessments.
- Designed to integrate with our ISO 27001 DocumentKits toolkit to ensure you have complete control over the security of your Cloud services.
- Get professional guidance on securing your Cloud services, putting you fully in control of managing your information security.
- Reduce your implementation costs and time spent generating your documentation with instant access to the Cloud-based DocumentKits platform.