ISO 27017

Cloud customers are concerned about security - it remains a key reason why organizations hesitate to adopt cloud services despite the flexibility and scalability the cloud can offer. A key concern focuses around the ability of cloud service providers (CSPs) to treat customer data with sufficient care and attention.

The main elements of this are the worries that data could end up in the wrong hands and what control does a customer have over careless operators. But there are other concerns too: issues such as customer identity, segregation of assets on virtual servers and what happens to assets in the event of a CSP going out of business are also issues that play on potential cloud users' minds. The ISO 27001 series addresses some of these concerns but a new standard, ISO/IEC 27017 Information technology - Security techniques, goes further and offers more peace of mind for potential cloud customers. Typical cloud standards and technical standards that address the cloud provider controls and guidance aimed at the cloud service provider. What's unique and extremely helpful about ISO/IEC 27017 is that it provides both the CSP and cloud service customer with guidance and advice. In addition to ensuring services are safe, ISO/IEC 27017 also aims to educate customers on what they should want from their host in the cloud.

It's not only the separation of responsibilities that the standard helps define: ISO/IEC 27017 also goes into much more detail about the type of security controls that service providers should be implementing - helping reduce the barriers to cloud adoption. ISO/IEC 27017 offers a way for cloud service providers to indicate the level of controls that have been implemented. This means documented evidence - backed up by independent sources like certification to certain standards-show that appropriate policies have been implemented and, most importantly, what types of controls have been introduced. This information should be shared with the cloud customer before any contract is signed to help alleviate any potential issues in the future. In cases where independent audits aren't practical or would pose a greater risk to information security , the standard does provide an option for CSPs to self-assess. When this is the case, the CSP must tell customers that they have self-assessed.

There's also guidance about any cryptography being used. This applies to the customer and the provider as both have responsibilities in this area. The provider should tell the customer how it's using cryptography and help customers apply protection of their own. It should also consider special cases, such as health data, where they may be some additional regulatory guidelines. Customers should also be upfront about the type of cryptography that they're using - and they ought be using cryptography if the risk analysis suggests that it's needed. In fact, this is the sort of dispute, or misunderstanding that underpins the need for the standard. Not only should both parties assure each other that the network is being protected, they should also be able to assure each other that there's compatibility between the two systems. And, crucially, it should be determined whether these controls apply to data at rest, in transit or both, as this has caused misunderstandings before.

ISO 27018

The cloud offers organizations and consumers a variety of benefits: cost savings, flexibility and mobile access to information top the list. It also raises concerns about data protection and privacy; particularly around personally identifiable information (PII). PII includes any piece of information that can identify a specific user. The more obvious examples include names and contact details or your mother's maiden name. But ones people may not readily think of are medical records, IP addresses and banking statements. Used with ISO/IEC 27001, ISO/IEC 27018 has been published to allow Cloud Service Providers whose infrastructure is certified to the standard to tell their existing and potential customers that their data is safeguarded and won't be used for any purposes for which they don't specifically give consent.

Whether you're new to ISO/IEC 27018 or looking to take your expertise further, we have the right approach to make you certified. We offer packages that can be customized to your business to get you started with information security management. An ISO/IEC 27018 package can be designed to remove the complexity of getting you where you want to be - whatever your starting point.

  • Inspires trust in your business - provides greater reassurance to your customers and stakeholders that personal data and information is protected.
  • Competitive advantage - stand out from your competitors by protecting personal information to the highest level.
  • Protects your brand protection - reduces the risk of adverse publicity due to data breaches.
  • Reduces risks - ensures that risks are identified and controls are in place to manage or reduce them.
  • Protects against fines - ensures that local regulations are complied with, reducing the risk of fines for data breaches.
  • Helps grow your business - provides common guidelines across different countries, making it easier to do business globally and gain access as a preferred supplier





Related links

It provides clarity regarding who is responsible for what between the cloud service provider and the cloud customer

Read More


Praesent nec nisl a purus blandit viverra. Praesent ac massa at ligula laoreet iaculis. Nulla neque dolor, sagittis eget, iaculis quis, molestie non, velit. Mauris turpis nunc, blandit et, volutpat molestie, porta ut, ligula.