What Are ISO 27017 and ISO 27018, and What Are Their Controls?

Extending your ISMS to address Cloud security risks

ISO 27001 sets out the specification – the requirements – for an effective ISMS (information security management system).

But did you know you can extend your ISO 27001 ISMS to cover specific aspects of Cloud security?

Two ISO standards in particular stand out:

  1. ISO 27017
  2. ISO 27018

Let’s take a closer look at both ISO 27017 and ISO 27018.


Note: The current versions of ISO 27017 and ISO 27018, ISO/IEC 27017:2015 and ISO/IEC 27018:2019, are aligned to the previous (2013) edition of ISO 27002. The new (2022) control set has been completely reorganised, and 11 new controls were added, including 5.23: Information security for use of Cloud services.

However, no old controls were removed; they’ve just been renumbered and, in some cases, merged.


Contents


What is ISO 27017?

ISO 27017 provides a code of practice for information security controls based on ISO 27002 for Cloud services.

As ISO 27017 points out, Cloud computing presents its own security risks, as it’s technically designed and operated in a way different to other computing resources.

The Standard therefore supplies additional controls (compared to those in ISO 27002/Annex A of ISO 27001) to help address Cloud-specific information security risks and threats.

Where applicable, ISO 27017 also provides additional guidance on the ISO 27002 controls when implemented for Cloud services. (For the remaining controls, it simply points to the guidance in ISO 27002.)

For each control, the guidance is split into two parts: for Cloud service customers, and for Cloud service providers.


What are the ISO 27017 controls?

The extended control set for Cloud services, provided in Annex A of ISO 27017, contains 7 controls:

  • CLD.6.3.1 Shared roles and responsibilities within a Cloud computing environment
  • CLD.8.1.5 Removal of Cloud service customer assets
  • CLD.9.5.1 Segregation in virtual computing environments
  • CLD.9.5.2 Virtual machine hardening
  • CLD.12.1.5 Administrator’s operational security
  • CLD.12.4.5 Monitoring of Cloud services
  • CLD.13.1.4 Alignment of security management for virtual and physical networks

The numbering system aligns with ISO 27002:2013.

As with the ISO 27002 control set, organisations implementing this control set aren’t expected to blindly apply them all, taking a checklist-like approach.

Rather, as stipulated by ISO 27001, organisations must conduct an information security risk assessment. This involves:

The most common way to respond to a risk is to implement an appropriate control (‘modify the risk’), which can but doesn’t have to be from Annex A (whether in ISO 27001 or ISO 27017).


Finding this blog useful? To get notified of future
expert insight like this, subscribe to our free
weekly newsletter: the Security Spotlight.


What is ISO 27018?

ISO 27018 is also a code of practice, but for protecting PII (personally identifiable information) in the Cloud as a data processor.

Like ISO 27017, ISO 27018 is an extension to an ISO 27001 ISMS, outlining guidance for the ISO 27002 controls (where applicable) as well as an extended control set in Annex A (of ISO 27018).


What are the ISO 27018 controls?

Annex A of ISO 27018 contains 25 additional controls to those in ISO 27002:

  • A.2.1 Obligation to cooperate regarding PII principals’ [data subjects’] rights
  • A.3.1 Public Cloud PII processor’s purpose
  • A.3.2 Public Cloud PII processor’s commercial use
  • A.5.1 Secure erasure of temporary files
  • A.6.1 PII disclosure notification
  • A.6.2 Recording of PII disclosures
  • A.8.1 Disclosure of sub-contracted PII processing
  • A.10.1 Notification of a data breach involving PII
  • A.10.2 Retention period for administrative security policies and guidelines
  • A.10.3 PII return, transfer and disposal
  • A.11.1 Confidentiality or non-disclosure agreements
  • A.11.2 Restriction of the creation of hardcopy material
  • A.11.3 Control and logging of data restoration
  • A.11.4 Protecting data on storage media leaving the premises
  • A.11.5 Use of unencrypted portable storage media and devices
  • A.11.6 Encryption of PII transmitted over public data-transmission networks
  • A.11.7 Secure disposal of hardcopy materials
  • A.11.8 Unique use of user IDs
  • A.11.9 Records of authorised users
  • A.11.10 User ID management
  • A.11.11 Contract measures
  • A.11.12 Sub-contracted PII processing
  • A.11.13 Access to data on pre-used data storage space
  • A.12.1 Geographical location of PII
  • A.12.2 Intended destination of PII

The numbering system is aligned to the 11 privacy principles of ISO/IEC 29100.

As with ISO 27001 and ISO 27017, you should only implement the controls required to address your specific risks.


Put data protection front and centre in your approach to Cloud security

Many organisations didn’t and paid the price: a devastating loss of customer trust and public credibility, not to mention billions of records breached.

Two days of training – with our Certified ISO 27018 CIS CPS Training Course – will reveal a methodical approach based on ISO standards that safeguards PII.

Learn to identify the non-negotiable requirements for Cloud-based PII in the context of UK and international law, and understand the roles and responsibilities of data controllers and processors.

Strengthen your data governance and ensure legal and regulatory compliance: