ISO 27017 /27018 is the first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).
Discover:
• Background of ISO 27017 and 27018
• Scope and Purpose
• Comparison with ISO 27001 and 27002
• Future of ISO 27017 with ISO 27018
• Challenges and Benefits
• Certification Process and Next Steps
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
1. Locking Up Your Cloud Environment | 1
LOCKING UP YOUR
CLOUD ENVIRONMENT
An Introduction to ISO/IEC 27017
and ISO/IEC 27018
2. Locking Up Your Cloud Environment | 2
• Introduction
• ISO 27017 Overview
• ISO 27018 Overview
• ISO 27017 and ISO 27018 Application
• ISO 27017 and ISO 27018 Audit Approach
• Market Acceptance of ISO 27017 and ISO 27018
• Q&A
Agenda
3. Locking Up Your Cloud Environment | 3
RYAN MACKIE
ISO Certification Practice Director
5. Locking Up Your Cloud Environment | 5
• Based on ISO/IEC 27002 for cloud providers
• December 15, 2015
• Applicable to the provision and use of cloud services
• Supplement to ISO 27002 for cloud providers
ISO 27017 Overview
6. Locking Up Your Cloud Environment | 6
• Alignment to ISO 27001 Annex A / ISO 27002
• Cloud server provider control guidance
• Not intended to be a unique control set
– e.g. A6.1.2 – segregation of duties
• Recommendations not Requirements
– Should v Shall
27017 Design
7. Locking Up Your Cloud Environment | 7
• 35 supplemental controls to ISO 27001 Annex A
– All domains but Information Security Aspects of
Business Continuity
– A5 (1), A6 (2), A7 (1), A8 (2), A9 (7), A10 (2), A11 (1),
A12 (6),
A13 (1), A14 (2), A15 (2), A16 (3), A18 (5)
27017 Depth – Supplemental Controls
8. Locking Up Your Cloud Environment | 8
• 7 extended controls (27017 Annex A)
– Covers domains A6, A8, A9, A12, and A13
– Act as additional control to complement that of
Annex A
27017 Depth – Extended Controls
9. Locking Up Your Cloud Environment | 9
27017 – How Unique?
• Not very unique
• Most CSPs are already designed to meet 27017
• Supplemental Control Example
• Extended control
11. Locking Up Your Cloud Environment | 11
• Code of practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors
• Issued August 1, 2014
• Commonly accepted control objectives, controls and
guidelines for implementing measures to protect PII in
accordance with the privacy principles in ISO/IEC 29100
for the public cloud computing environment.
• Supplement to ISO 27002 for public cloud providers
ISO 27018 Overview
12. Locking Up Your Cloud Environment | 12
• Alignment to ISO 27001 Annex A / ISO 27002
• Public cloud PII protection control implementation
guidance
• Not intended to be a unique control set
– e.g. A6.1.2 – segregation of duties
• Recommendations not Requirements
– Should v Shall
27018 Design
13. Locking Up Your Cloud Environment | 13
• 14 supplemental controls to ISO 27001 Annex A
– All domains but Asset Management; System
Acquisition, Development, and Maintenance; Supplier
Relationships; and Information Security Aspects of
Business Continuity Management
– A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4),
A13 (1), A16 (1), A18 (1)
27018 Depth – Supplemental Controls
14. Locking Up Your Cloud Environment | 14
• 25 extended controls (based on 11 privacy principles of
ISO/IEC 29100)
– Covers:
• Consent and Choice; Purpose legitimacy and specification;
Data minimization; Use, retention and disclosure limitation;
Openness, transparency and notice; Accountability;
Information security; and Privacy compliance
– Act as additional control to complement
that of Annex A
27017 Depth – Extended Controls
15. Locking Up Your Cloud Environment | 15
• More unique than 27017
• Incorporation of privacy principles
• Supplemental Control Example
– A11.2.7– Secure disposal or re-use of equipment
– Equipment containing storage media that may possibly contain PII should be
treated as though it does
• Extended control
– A.4 – Data Minimization
– Temporary files and documents should be erased or destroyed within a
specified, documented period
27017 – How Unique?
16. Locking Up Your Cloud Environment | 16
ISO 27017 and ISO
27018 Application
17. Locking Up Your Cloud Environment | 17
• Modify the scope statement as applicable
• Ensure appropriate inclusion through identification of:
– Internal and external issues
– Needs and expectations of interested parties
– Interfaces and dependencies performed by the organization and
those performed by other organization
Design – Scope (Clause 4)
18. Locking Up Your Cloud Environment | 18
• Identification of supplemental and extended controls
through the risk assessment process
• Controls should be necessary to mitigate risk applicable
to scope
• Apply appropriate treatment if necessary
Design – Risk Assessment (Clause 6)
19. Locking Up Your Cloud Environment | 19
• Incorporate supplemental / extended controls into the SOA
• Justification of inclusion / exclusion still apply (for entire
related standard)
• Determine if the supplemental / extended control is in place
Design – Statement of Applicability
(Clause 6)
20. Locking Up Your Cloud Environment | 20
• Modify the information security objectives as appropriate
• Ensure to measure any modification to the information
security objectives
Design – Objectives (Clause 6)
21. Locking Up Your Cloud Environment | 21
• Measure key supplemental / extended controls to ensure
effectiveness
• Ensure appropriate and proper criteria is applied
• Include relevant personnel
Monitoring – Measurement (Clause 9.1)
22. Locking Up Your Cloud Environment | 22
• Incorporation into audit plan / program
• Assessment of results
• Planned remediation
Monitoring – Internal Audit (Clause 9.2)
23. Locking Up Your Cloud Environment | 23
ISO 27017 and ISO
27018 Audit Approach
24. Locking Up Your Cloud Environment | 24
• Stage 2 incorporation of 27017 and/or 27018
• Statement of applicability acts as a audit road map
Initial Certification
25. Locking Up Your Cloud Environment | 25
• Perform regular maintenance review to ensure continued
conformance and operating effectiveness of the ISMS
• Apply heavier focus on inclusion of ISO 27017 and/or
ISO 27018
Surveillance / Recertification
26. Locking Up Your Cloud Environment | 26
• Specifically focus on inclusion of ISO 27017 and/or ISO
27018
• Assess relevant elements of ISMS and supplemental /
extended controls
Scope Expansion
27. Locking Up Your Cloud Environment | 27
• Included as a part of the scope statement, related to
SOA based on ISO 27017 and/or ISO 27018
• Available on certificate directory
• No unique mark or certificate issued for ISO 27017
and/or ISO 27018 (i.e. unaccredited certificates)
Inclusion on Certificate
28. Locking Up Your Cloud Environment | 28
Market Acceptance of
ISO 27017 and ISO 27018
29. Locking Up Your Cloud Environment | 29
• Relatively new
• Market adoption driven by customers
and/or competitors
• General cloud application v. CSA
STAR Program
ISO 27017
30. Locking Up Your Cloud Environment | 30
• Greater acceptance
• Withdrawal of Safe Harbor
• Greater interest in privacy and security,
specifically for cloud services
ISO 27018