Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018

Locking Up Your Cloud Environment | 1
LOCKING UP YOUR
CLOUD ENVIRONMENT
An Introduction to ISO/IEC 27017
and ISO/IEC 27018

• Introduction
• ISO 27017 Overview
• ISO 27018 Overview
• ISO 27017 and ISO 27018 Application
• ISO 27017 and ISO 27018 Audit Approach
• Market Acceptance of ISO 27017 and ISO 27018
• Q&A
Agenda

RYAN MACKIE
ISO Certification Practice Director

ISO 27017
Overview

• Based on ISO/IEC 27002 for cloud providers
• December 15, 2015
• Applicable to the provision and use of cloud services
• Supplement to ISO 27002 for cloud providers
ISO 27017 Overview

• Alignment to ISO 27001 Annex A / ISO 27002
• Cloud server provider control guidance
• Not intended to be a unique control set
– e.g. A6.1.2 – segregation of duties
• Recommendations not Requirements
– Should v Shall
27017 Design

• 35 supplemental controls to ISO 27001 Annex A
– All domains but Information Security Aspects of
Business Continuity
– A5 (1), A6 (2), A7 (1), A8 (2), A9 (7), A10 (2), A11 (1),
A12 (6),
A13 (1), A14 (2), A15 (2), A16 (3), A18 (5)
27017 Depth – Supplemental Controls

• 7 extended controls (27017 Annex A)
– Covers domains A6, A8, A9, A12, and A13
– Act as additional control to complement that of
Annex A
27017 Depth – Extended Controls

27017 – How Unique?
• Not very unique
• Most CSPs are already designed to meet 27017
• Supplemental Control Example
• Extended control

ISO 27018
Overview

• Code of practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors
• Issued August 1, 2014
• Commonly accepted control objectives, controls and
guidelines for implementing measures to protect PII in
accordance with the privacy principles in ISO/IEC 29100
for the public cloud computing environment.
• Supplement to ISO 27002 for public cloud providers
ISO 27018 Overview

• Alignment to ISO 27001 Annex A / ISO 27002
• Public cloud PII protection control implementation
guidance
• Not intended to be a unique control set
– e.g. A6.1.2 – segregation of duties
• Recommendations not Requirements
– Should v Shall
27018 Design

• 14 supplemental controls to ISO 27001 Annex A
– All domains but Asset Management; System
Acquisition, Development, and Maintenance; Supplier
Relationships; and Information Security Aspects of
Business Continuity Management
– A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4),
A13 (1), A16 (1), A18 (1)
27018 Depth – Supplemental Controls

• 25 extended controls (based on 11 privacy principles of
ISO/IEC 29100)
– Covers:
• Consent and Choice; Purpose legitimacy and specification;
Data minimization; Use, retention and disclosure limitation;
Openness, transparency and notice; Accountability;
Information security; and Privacy compliance
– Act as additional control to complement
that of Annex A
27017 Depth – Extended Controls

• More unique than 27017
• Incorporation of privacy principles
• Supplemental Control Example
– A11.2.7– Secure disposal or re-use of equipment
– Equipment containing storage media that may possibly contain PII should be
treated as though it does
• Extended control
– A.4 – Data Minimization
– Temporary files and documents should be erased or destroyed within a
specified, documented period
27017 – How Unique?

ISO 27017 and ISO
27018 Application

• Modify the scope statement as applicable
• Ensure appropriate inclusion through identification of:
– Internal and external issues
– Needs and expectations of interested parties
– Interfaces and dependencies performed by the organization and
those performed by other organization
Design – Scope (Clause 4)

• Identification of supplemental and extended controls
through the risk assessment process
• Controls should be necessary to mitigate risk applicable
to scope
• Apply appropriate treatment if necessary
Design – Risk Assessment (Clause 6)

• Incorporate supplemental / extended controls into the SOA
• Justification of inclusion / exclusion still apply (for entire
related standard)
• Determine if the supplemental / extended control is in place
Design – Statement of Applicability
(Clause 6)

• Modify the information security objectives as appropriate
• Ensure to measure any modification to the information
security objectives
Design – Objectives (Clause 6)

• Measure key supplemental / extended controls to ensure
effectiveness
• Ensure appropriate and proper criteria is applied
• Include relevant personnel
Monitoring – Measurement (Clause 9.1)

• Incorporation into audit plan / program
• Assessment of results
• Planned remediation
Monitoring – Internal Audit (Clause 9.2)

ISO 27017 and ISO
27018 Audit Approach

• Stage 2 incorporation of 27017 and/or 27018
• Statement of applicability acts as a audit road map
Initial Certification

• Perform regular maintenance review to ensure continued
conformance and operating effectiveness of the ISMS
• Apply heavier focus on inclusion of ISO 27017 and/or
ISO 27018
Surveillance / Recertification

• Specifically focus on inclusion of ISO 27017 and/or ISO
27018
• Assess relevant elements of ISMS and supplemental /
extended controls
Scope Expansion

• Included as a part of the scope statement, related to
SOA based on ISO 27017 and/or ISO 27018
• Available on certificate directory
• No unique mark or certificate issued for ISO 27017
and/or ISO 27018 (i.e. unaccredited certificates)
Inclusion on Certificate

Market Acceptance of
ISO 27017 and ISO 27018

• Relatively new
• Market adoption driven by customers
and/or competitors
• General cloud application v. CSA
STAR Program
ISO 27017

• Greater acceptance
• Withdrawal of Safe Harbor
• Greater interest in privacy and security,
specifically for cloud services
ISO 27018

Thank You

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018

More Related Content

What's hot

Similar to Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018

More from Schellman & Company

Recently uploaded

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018