In the modern online world, cloud computing supports the functioning of the vast majority of large organizations. While the cloud is highly scalable and flexible, it also presents novel security threats. To counter these novel threats, various cloud security standards have been developed. Two of the most applicable among them are ISO 27017 and ISO 27018. Comparing and contrasting them is essential for any organization that utilizes cloud services.
The Standard: ISO/IEC 27001 and ISO/IEC 27002
Before diving into ISO 27017 and ISO 27018, it’s essential to understand their foundation. Why was the requirement for another “Standard” arise. So basically, both standards are built upon ISO/IEC 27001, which specifies the requirements for an Information Security Management System (ISMS), and ISO/IEC 27002, which provides a comprehensive set of information security controls and best practices. Think of ISO 27001 as the framework for how to manage security, and ISO 27002 as a catalogue of what security controls can be implemented.
ISO/IEC 27017: Cloud-Specific Information Security
What it is:
ISO/IEC 27017:2015 is an international standard that offers further guidance on the implementation of the information security controls listed in ISO/IEC 27002, and of course, in specific cloud computing environments. It serves as an add-on, providing cloud-specific implementation guidance for 37 of ISO 27002’s controls and adding seven new controls that cover the specificities of cloud services.
It’s like: Extra directions for how to use the overall security guidelines (from ISO 27002) when you’re storing things in the cloud. It’s similar to being given additional advice on how to lock up your stuff particularly when you’re leasing that space in the virtual building.
Focus: The main emphasis of ISO 27017 is placed on the interaction between cloud service customers and cloud service providers. It explains the mutual responsibilities and makes it easier for both sides to understand how to implement security controls in the context of the cloud.
Important Areas Covered by New Controls:
- Mutual roles and responsibilities within a cloud environment.
- Deletion of cloud service customer assets.
- Segregation in virtual computing environments.
- Hardening of virtual machines.
- Administrator’s security operations.
- Cloud service monitoring.
- Security management of virtual and physical networks aligned.
Example of a new regulation:
Suppose you remove your files from the cloud. ISO 27017 provides regulations to ensure the cloud provider actually deletes them properly from their systems.
Who it’s for:
ISO 27017 applies to both cloud service providers (such as AWS, Google Cloud, Microsoft Azure) and cloud service customers who make use of cloud services. It assists the providers in showcasing the security of their services and assists customers in securing their own applications and data in the cloud.
ISO/IEC 27018: Protecting Personally Identifiable Information (PII) in the Cloud
What it is: ISO/IEC 27018:2019 is a global standard that offers guidance on ensuring the protection of Personally Identifiable Information (PII) in public cloud computing environments. It adds to the ISO/IEC 27002 by introducing specific controls and implementation considerations addressing the privacy aspect of processing PII by cloud service providers that also act as PII processors.
The analogy would be: Extra robust privacy regulations just for private data held in public clouds (the type anyone can lease space in). It’s similar to having super locks and protocols for the rooms in the virtual building that hold private information.
Focus: The prime emphasis of ISO 27018 is on maintaining the confidentiality, integrity, and availability of personal data resident and processed in the public cloud. It seeks to create commonality for how public cloud providers manage PII on behalf of their clients.
Key Areas Covered: ISO 27018 gives recommendations to cloud service providers regarding the selection and application of security controls pertaining to:
- Consent and transparency of PII processing.
- Requirements for processing PII.
- Information security risk assessment and treatment applicable to PII.
- Accountability and roles of PII processors.
- Data minimization and data retention restrictions.
- Secure erasure of PII.
- Processing PII in transit and storage (including encryption).
- Incident management of PII breaches.
- Transparency regarding sub-processors and their locations.
Example of a rule:
ISO 27018 provides guidelines regarding obtaining your consent prior to processing your personal data in the cloud and being transparent about what they are doing with it.
Who it’s for:
ISO 27018 is primarily intended for public cloud service providers that handle PII. Yet, it can be useful for data controllers (organizations who possess the PII) to know about the security controls their cloud providers ought to implement.
Critical Differences and Relationships:
| Feature | ISO/IEC 27017 | ISO/IEC 27018 |
| Primary Focus | Information security in the cloud (broader scope) | Protection of Personally Identifiable Information (PII) in public clouds (narrow, specific scope) |
| Draws Upon | ISO/IEC 27002 (with cloud-specific extensions) | ISO/IEC 27002 (with PII-specific additions for public clouds) |
| Target Audience | Cloud service providers and cloud service customers | Public cloud service providers (functioning as PII processors), also applicable to PII data controllers |
| Key Objective | Offer direction on applying ISO 27002 controls in the cloud and solve distinctive cloud security threats | Provide guidance on protecting PII in public cloud environments and address privacy-specific risks |
| New Controls | 7 new cloud-specific controls | Specific guidelines integrated within the ISO 27002 control framework, with a focus on PII processing |
| In Simple Terms | Cloud Security Basics + Cloud-Specific Rules | Extra Privacy Protection for Personal Info in Public Clouds |
Relationship:
Both are based on ISO 27001 and ISO 27002: Both belong to the ISO/IEC 27000 family of standards and are built upon the core ISMS structure and control set.
ISO 27018 might be viewed as a cloud security subset or specialism: Whereas ISO 27017 takes a wider view of cloud environment protection, ISO 27018 focuses on the key issue of safeguarding personal information within that setup.
Complementary Standards: Both standards can be valuable to organizations. ISO 27017 provides a solid cloud security framework, and ISO 27018 provides the layers of control and direction needed to manage PII within that framework.
Which Ones Really Make a Difference?
- The applicability of ISO 27017 and ISO 27018 is based on the role of an organization and the nature of data they process in the cloud:
- Cloud Service Providers: Both standards are extremely pertinent. ISO 27017 reflects a dedication to general cloud security, whereas ISO 27018 actually guarantees customers their personal information is being treated securely. Certification under these standards can be a major business differentiator and instill customer confidence.
Cloud Service Customers (Organizations utilizing cloud):
If dealing with PII in public clouds: ISO 27018 is essential to ensure their cloud vendors have sufficient controls in place to safeguard this sensitive information. Having knowledge of ISO 27017 can assist in assessing the overall security stance of their vendors.
If not dealing with PII heavily in public clouds but still employing cloud computing: ISO 27017 is essential for securing their applications, data, and infrastructure in the cloud.
Conclusion:
ISO 27017 and ISO 27018 are not exclusive of each other; they are complementary standards that tackle different but related aspects of cloud security. For cloud giants and any business that depends high on cloud computing, learning and possibly adopting these standards indicates a commitment to security and privacy, customer trust, and can be a differentiator in the digital market today. The decision which standards are really matter will depend on the particular context and the nature of data being processed in the cloud, but both are important components in the setup and maintenance of a secure cloud environment.
Why Work with Azpirantz on ISO 27017 & ISO 27018?
Choosing the right cloud security standard is one thing, making sure it fits your environment and gets implemented correctly is another. That’s where our team at Azpirantz can help.
We’ve worked with a wide range of businesses, from cloud service providers to organizations using public cloud platforms, to break down these standards and apply them in ways that are actually useful. Whether you’re looking to strengthen your general cloud security (ISO 27017) or make sure personal data is handled responsibly (ISO 27018), we’ll guide you through what matters, and what’s worth focusing on.
If you’re planning to align with either standard or both, we’re here to support you with practical, no-fluff guidance.
Learn more about our ISO 27017 Consulting
See how we support ISO 27018 Compliance
*The content is released by Azpirantz marketing team.