locking up your cloud environment: an introduction to iso/iec 27017 and 27018

Locking Up Your Cloud Environment | 1

LOCKING UP YOUR CLOUD ENVIRONMENT An Introduction to ISO/IEC 27017 and ISO/IEC 27018


• Introduction • ISO 27017 Overview • ISO 27018 Overview • ISO 27017 and ISO 27018 Application • ISO 27017 and ISO 27018 Audit Approach • Market Acceptance of ISO 27017 and ISO 27018 • Q&A

Agenda


RYAN MACKIE ISO Certification Practice Director


ISO 27017 Overview


• Based on ISO/IEC 27002 for cloud providers • December 15, 2015 • Applicable to the provision and use of cloud services • Supplement to ISO 27002 for cloud providers

ISO 27017 Overview


• Alignment to ISO 27001 Annex A / ISO 27002 • Cloud server provider control guidance • Not intended to be a unique control set

– e.g. A6.1.2 – segregation of duties

• Recommendations not Requirements – Should v Shall

27017 Design


• 35 supplemental controls to ISO 27001 Annex A – All domains but Information Security Aspects of

Business Continuity – A5 (1), A6 (2), A7 (1), A8 (2), A9 (7), A10 (2), A11 (1),

A12 (6), A13 (1), A14 (2), A15 (2), A16 (3), A18 (5)

27017 Depth – Supplemental Controls


• 7 extended controls (27017 Annex A) – Covers domains A6, A8, A9, A12, and A13 – Act as additional control to complement that of

Annex A

27017 Depth – Extended Controls


27017 – How Unique? • Not very unique • Most CSPs are already designed to meet 27017 • Supplemental Control Example • Extended control


ISO 27018 Overview


• Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

• Issued August 1, 2014 • Commonly accepted control objectives, controls and

guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.

• Supplement to ISO 27002 for public cloud providers

ISO 27018 Overview


• Alignment to ISO 27001 Annex A / ISO 27002 • Public cloud PII protection control implementation

guidance • Not intended to be a unique control set

– e.g. A6.1.2 – segregation of duties

• Recommendations not Requirements – Should v Shall

27018 Design


• 14 supplemental controls to ISO 27001 Annex A – All domains but Asset Management; System

Acquisition, Development, and Maintenance; Supplier Relationships; and Information Security Aspects of Business Continuity Management

– A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4), A13 (1), A16 (1), A18 (1)

27018 Depth – Supplemental Controls


• 25 extended controls (based on 11 privacy principles of ISO/IEC 29100) – Covers:

• Consent and Choice; Purpose legitimacy and specification; Data minimization; Use, retention and disclosure limitation; Openness, transparency and notice; Accountability; Information security; and Privacy compliance

– Act as additional control to complement that of Annex A

27017 Depth – Extended Controls


• More unique than 27017 • Incorporation of privacy principles • Supplemental Control Example

– A11.2.7– Secure disposal or re-use of equipment – Equipment containing storage media that may possibly contain PII should be

treated as though it does

• Extended control – A.4 – Data Minimization – Temporary files and documents should be erased or destroyed within a

specified, documented period

27017 – How Unique?


ISO 27017 and ISO 27018 Application


• Modify the scope statement as applicable • Ensure appropriate inclusion through identification of:

– Internal and external issues – Needs and expectations of interested parties – Interfaces and dependencies performed by the organization and

those performed by other organization

Design – Scope (Clause 4)


• Identification of supplemental and extended controls through the risk assessment process

• Controls should be necessary to mitigate risk applicable to scope

• Apply appropriate treatment if necessary

Design – Risk Assessment (Clause 6)


• Incorporate supplemental / extended controls into the SOA • Justification of inclusion / exclusion still apply (for entire

related standard) • Determine if the supplemental / extended control is in place

Design – Statement of Applicability (Clause 6)


• Modify the information security objectives as appropriate • Ensure to measure any modification to the information

security objectives

Design – Objectives (Clause 6)


• Measure key supplemental / extended controls to ensure effectiveness

• Ensure appropriate and proper criteria is applied • Include relevant personnel

Monitoring – Measurement (Clause 9.1)


• Incorporation into audit plan / program • Assessment of results • Planned remediation

Monitoring – Internal Audit (Clause 9.2)


ISO 27017 and ISO 27018 Audit Approach


• Stage 2 incorporation of 27017 and/or 27018 • Statement of applicability acts as a audit road map

Initial Certification


• Perform regular maintenance review to ensure continued conformance and operating effectiveness of the ISMS

• Apply heavier focus on inclusion of ISO 27017 and/or ISO 27018

Surveillance / Recertification


• Specifically focus on inclusion of ISO 27017 and/or ISO 27018

• Assess relevant elements of ISMS and supplemental / extended controls

Scope Expansion


• Included as a part of the scope statement, related to SOA based on ISO 27017 and/or ISO 27018

• Available on certificate directory • No unique mark or certificate issued for ISO 27017

and/or ISO 27018 (i.e. unaccredited certificates)

Inclusion on Certificate


Market Acceptance of ISO 27017 and ISO 27018


• Relatively new • Market adoption driven by customers

and/or competitors • General cloud application v. CSA

STAR Program

ISO 27017


• Greater acceptance • Withdrawal of Safe Harbor • Greater interest in privacy and security,

specifically for cloud services

ISO 27018


Thank You

locking up your cloud environment: an introduction to iso/iec 27017 and 27018

Services