ISO 27017 and ISO 27018

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here
Download your copy of ISO 27002:2022 here

Most organisations use Cloud storage or file sharing services in some capacity. Examples include Microsoft’s Office 365, SharePoint and OneDrive, Google Drive, Apple’s iCloud, and AWS (Amazon Web Services).

Ensuring the Cloud services you use are properly secured is critical – especially if you use them to process personal or sensitive information and must comply with data protection laws such as the GDPR (General Data Protection Regulation) and DPA (Data Protection Act) 2018.

However, those laws give little guidance on the level of security you should implement to secure the data you process.

The international standards ISO 27017 and ISO 27018 have been created to fill that gap.

ISO/IEC 27017 is an information security standard that provides additional guidance for implementing ISO 27002 information security controls within a Cloud computing environment.

It was first published in September 2015 as ISO/IEC 27017:2015.

What is the scope of ISO 27017?
ISO/IEC 27017 applies to organisations that provide services within the Cloud computing environment and have an ISMS (information security management system) in place.

As part of the ISMS, organisations can choose which controls from ISO/IEC 27002 they wish to implement based on their own risk assessment.

How is ISO 27017 structured?
ISO/IEC 27017 is structured around the same clauses as ISO/IEC 27002, with each clause covering a specific aspect of information security.

The Standard includes an annex that provides additional controls and guidance on implementing specific security controls.

What are the benefits of ISO 27017?
ISO/IEC 27017 can help organisations to:

• Protect their information assets within the Cloud computing environment.
• Comply with legal and regulatory requirements.
• Reduce the risk of information security incidents.
• Save costs by reducing the need for duplicate controls.

What does ISO 27017 contain?
ISO 27017 provides guidance on applying 37 of ISO 27001’s Annex A information security controls to Cloud environments.

It also provides seven additional controls that relate specifically to Cloud services and address:

• CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment
• CLD.8.1.5 Removal of cloud service customer assets
• CLD.9.5.1 Segregation in virtual computing environments
• CLD.9.5.2 Virtual machine hardening
• CLD.12.1.5 Administrator’s operational security
• CLD.12.4.5 Monitoring of Cloud services
• CLD.13.1.4 Alignment of security management for virtual and physical networks

  Buy your copy of ISO 27017:2015

ISO 27018 is an international standard that provides guidance on protecting PII (personally identifiable information) in a public Cloud computing environment.

The Standard is intended to help organisations ensure the confidentiality of their customers’ data by providing guidance on how to select and implement appropriate security controls. It is also designed to help organisations assess the risks associated with public Cloud computing services.

What is the scope of ISO 27018? The scope of ISO 27018 is to establish common principles for handling PII by public Clouds acting as processors on behalf of their customers.

What are the benefits of ISO 27018? The main benefits of ISO 27018 are that it provides guidance on how to protect personal data in the Cloud and can help organisations demonstrate compliance with data protection regulations. It can also help improve Cloud services’ security and build trust between organisations and their customers.

What does ISO 27018 contain? ISO 27018 provides guidelines for Cloud service providers on selecting and implementing security controls based on ISO 27001 and ISO 27002.

These guidelines can also be used by data controllers, although it should be noted that controllers are subject to additional obligations that are not specified in the Standard.

Buy your copy of ISO 27018:2019

ISO 27001 sets out the specifications of an ISMS – a risk-based approach to information security that encompasses people, processes and technology.

Unlike ISO 27001, ISO 27017 and ISO 27018 are not management system standards, so you cannot attain certification to them. However, their controls can be adopted as part of an ISO 27001-compliant ISMS, and you can achieve independently verified certification to demonstrate your conformance to that standard.

If you need advice on expanding the scope of your ISMS to include Cloud environments, get in touch with our experts today.

Data sovereignty is the concept that digital data is subject to the laws of the country in which it is processed.

If your organisation uses or provides a Cloud service to process EU or UK residents’ personal data, you must comply with the relevant data protection legislation (i.e. the EU GDPR and/or the UK GDPR).

The Regulation calls for organisations to implement appropriate technical and organisational measures to secure the personal data they process, or that is processed on their behalf.

Learn more about data sovereignty and the Cloud

If you are a Cloud service provider with 50 or more employees and an annual turnover of more than €10 million (about £8.4 million), you are also obliged to comply with the NIS (Network and Information Systems) Regulations 2018.

Like GDPR compliance, this entails implementing and maintaining appropriate technical and organisational security measures. And, like the GDPR, the NIS Regulations offer little guidance on what is ‘appropriate’.

Learn more about NIS Regulations compliance for digital service providers

With so many standards in the ISO 27000 series, it can be difficult to know which to apply to your circumstances.

For most organisations, ISO 27001 and ISO 27002 should provide enough guidance on a risk management approach to applying security controls.

Learn more about ISO 27001

ISO 27017 vs ISO 27018
If you need more specific guidance on securing your Cloud environments, the information and additional controls found in ISO 27017 will suit your needs.

If you are a Cloud service provider, ISO 27018 is more likely to be the better fit as it takes regulatory requirements for protecting personal data into consideration.

If you are a data controller as defined by the GDPR and DPA 2018, you can use ISO 27018’s guidelines to help ensure that any Cloud service you use provides appropriate security.

Start your journey to ISO 27017 and/or ISO 27018 compliance with our Cloud Security Toolkit.

• Customisable templates, documents, policies and records covering topics including backup and restoration, compliance checking, information security planning and risk assessments.
• Designed to integrate with our ISO 27001 toolkit to ensure you have complete control over the security of your Cloud services.
• Get professional guidance on securing your Cloud services, putting you fully in control of managing your information security.
• Reduce your implementation costs and time spent generating your documentation with instant access to the Cloud-based DocumentKits platform.

Buy now