ISO 27017 & ISO 27018 Compliance Documentation
Cloud services offer great scalability and flexibility. However, for a company, the adoption of cloud services is challenging as it raises concerns about security. Even though being ISO 27001 certified, if a company is using or providing cloud based services, then they must see what the ISO standards for Cloud Computing have in store for them.
Following are the two standards in focus:
ISO/IEC 27017:2015 – Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
ISO/IEC 27018:2014 – Information technology — Security techniques — Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors
This standard goes beyond ISO 27001 to address concerns related to customer identity, segregation of assets on virtual servers, clarification on distribution of roles and responsibilities, use of cryptography and few new controls that offers guidance on securing the cloud environment. As this standard is aimed at both: the Cloud Service Providers and Cloud Service Customers, the controls and implementation guidance are mentioned separately for both, wherever necessary. This assists in understanding and implementing the controls for the company according to their use of cloud services.
The seven new controls introduced in this standard address the following important areas:
• Shared roles and responsibilities within a cloud computing environment
• Removal and return of cloud service customer assets upon contract termination
• Protection and separation of a customer’s virtual environment from that of other customers
• Virtual machine hardening requirements to meet business needs
• Procedures for administrative operations of a cloud-computing environment
• Enabling customers to monitor relevant activities within a cloud-computing environment
• Alignment of security management for virtual and physical networks
ISO/IEC 27017 also makes a company aware of what they should look for while opting their cloud host. Implementation of this standard will be helpful in the decision making process when a company adopts cloud services. The adoption of this standard can assist companies in protecting themselves from harmful accusations or lawsuits that may disrupt their business and damage their brand.
This standard also goes further beyond ISO 27001; however, the emphasis here is on safeguarding the personal information in the Cloud. When a company is involved in owning, controlling or processing of personal data in cloud, it is required to abide by additional regulations. These additional regulations can be imposed by the (1) geographic standards, for example, EU General Data Protection Regulation, or by the (2) industry standards, for example, HIPAA (Health care industry). To deal with the additional concerns associated with the processing of personal data using cloud computing, ISO created a new standard, ISO/IEC 27018.
Let us understand few terms used in this standard.
PII: Personally Identifiable Information is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
PII Controller: Who determine the purposes for which and the manner in which any personal data are, or are to be, processed.
PII Processor: Who processes the data on behalf of and in accordance with the instructions of the PII controller. (Other than an employee of the data controller)
PII Principal: To whom PII relates
The standard helps cloud service provider to comply with the obligations applicable to them while acting as the PII processor. The cloud service customers can select well-governed, cloud based PII processing services. As this standard also insists on documenting the distribution of roles and responsibilities related to PII between the cloud service provider and cloud service customer, it helps them in entering into a contractual agreement. The standard also provides cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities.
Implementation of these standards increases the trust factor in a company’s products/services, giving them a competitive advantage. It will reduce the identified risks and the fines too, in case of any data breach.