What is ISO 27017 and ISO 27018?

The increasing ubiquity of the cloud creates a number of security challenges that make organizations vulnerable to cyber attacks. To guide organizations’ use of cloud services while maintaining a strong cybersecurity posture, two ISO standards – 27017 and 27018 – provide detailed guidelines.

ISO 27017, sometimes referred to as ISO/IEC 27017, provides guidelines regarding information security (IS) controls that apply to the provision and use of cloud services. ISO 27018 establishes controls, guidelines and objectives to protect Personally Identifiable Information (PII) in public clouds.

How does ISO 27017 Differ from ISO 27018?

ISO 27017 and 27018 are international standards and codes of practice that provide guidance on information technology controls and security techniques to address threats and risks in the cloud. They are both based on and supplement ISO 27001 and ISO 27002, which provide guidelines for organizational IS standards and management practices.

The main difference between these standards is that ISO 27017 is about general IS controls for cloud services, while ISO 27018 refers to the protection of PII in the public cloud computing environment, and considers the regulatory requirements related to PII protection which may apply to a cloud service provider.

Who Does ISO 27017 and 27018 Apply To?

ISO 27017 provides implementation guidance and controls for cloud service providers and customers.

ISO 27018 applies to:

  • Public and private companies
  • Government entities
  • Not-for-profit organizations

ISO 27018 also applies to organizations that provide PII processing services via cloud computing. These guidelines are also applicable to PII controllers, although such entities may be subject to additional PII protection laws or obligations as well.

How Do ISO 27017 and 27018 Differ From ISO 27001 And 27002?

ISO 27001 provides guidelines for organizations to set up an information security management system (ISMS), reduce IS risk, and effectively manage the security of various assets, including financial information, intellectual property, employee details, information entrusted by third parties etc. With this certification, organizations can demonstrate the maturity of their IS environments.

ISO 27002 also describes controls for the organization’s security risk environment, albeit in more detail, including how they work and can be implemented. These controls are only outlined briefly in ISO 27001.

ISO 27017 suggests additional security standards and security controls for the cloud that are not adequately covered in either ISO 27001 or 27002, including:

  • Shared roles and responsibilities within the cloud environment
  • Cloud service monitoring
  • Removal of customer’s cloud assets
  • Segregation in virtual computing environments
  • Virtual machine hardening
  • Security management for virtual and physical networks

Similarly, these older standards do not specify the controls to protect PII in the cloud. ISO 27018 supplements the controls provided in these standards with additional controls for:

  • Customer and end-user control rights
  • Restricting the access to or disclosure of PII to third parties
  • Treating media containing PII

What Are The Benefits Of ISO 27017 and ISO 27018?

ISO 27017 plugs the gaps regarding cloud security in ISO 27001 and 27002. It includes both customer and supplier perspectives, reinforcing the idea that the security of and in the cloud is a shared responsibility. 

In addition to providing guidelines unique to the cloud environment, ISO 27017 enables organizations to tailor their ISMS to match their cloud-specific needs. For cloud providers, it delineates the various roles and responsibilities within this environment.

With an ISO 27018-compliant organization, customers and end-users know that their information is safe in the cloud. This is a significant benefit in the evolving regulatory landscape (e.g., GDPR), where the focus on PII protection is higher than ever.

By implementing the controls outlined in ISO 27017 and 27018, organizations can reduce the risks inherent to the cloud and minimize the cost of a potential data breach.

How Can Companies Leverage ISO 27017 and ISO 27018?

Organizations cannot be certified against the ISO 27017 controls since it is not a management standard. 

However, by adding its additional controls to the scope of the ISO 27001 certification audit, they can demonstrate conformance to this newer standard. This is especially beneficial for cloud providers entrusted with sensitive customer data.

Similarly, organizations cannot be officially certified against ISO 27018. However, they can demonstrate compliance with the standard by implementing its controls and garner customer trust by demonstrating their ability to protect customer PII and privacy in the cloud.

How Long Does An ISO Certification Last?

Every certification process for the ISO family of standards follows a three-year cycle. If an organization applies for a particular certification and complies with its requirements, the certificate is issued after the initial pre-assessment audit in the first year. 

The audit happens in two stages. In stage 1, the auditor verifies whether the organization is close to meeting the chosen standard’s requirements. In stage 2, the auditor recommends the company for certification.

In years 2 and 3, surveillance audits are carried out to ensure ongoing compliance with the chosen standard.After three years, the company must seek recertification, and the process restarts.

Key Takeaways

  • ISO 27017:2015 provides guidelines regarding information security (IS) controls for the provision and use of cloud services
  • ISO 27018:2019 establishes controls, guidelines, and objectives to protect Personally Identifiable Information (PII) in public clouds
  • ISO 27017 provides controls and guidance for cloud service providers and cloud service customers
  • ISO 27018 applies to companies, government entities, and not-for-profit organizations