Locking Up Your Cloud Environment | 1 LOCKING UP YOUR CLOUD ENVIRONMENT An Introduction to ISO/IEC 27017 and ISO/IEC 27018
Locking Up Your Cloud Environment | 1
LOCKING UP YOUR CLOUD ENVIRONMENT An Introduction to ISO/IEC 27017 and ISO/IEC 27018
Locking Up Your Cloud Environment | 2
• Introduction • ISO 27017 Overview • ISO 27018 Overview • ISO 27017 and ISO 27018 Application • ISO 27017 and ISO 27018 Audit Approach • Market Acceptance of ISO 27017 and ISO 27018 • Q&A
Agenda
Locking Up Your Cloud Environment | 5
• Based on ISO/IEC 27002 for cloud providers • December 15, 2015 • Applicable to the provision and use of cloud services • Supplement to ISO 27002 for cloud providers
ISO 27017 Overview
Locking Up Your Cloud Environment | 6
• Alignment to ISO 27001 Annex A / ISO 27002 • Cloud server provider control guidance • Not intended to be a unique control set
– e.g. A6.1.2 – segregation of duties
• Recommendations not Requirements – Should v Shall
27017 Design
Locking Up Your Cloud Environment | 7
• 35 supplemental controls to ISO 27001 Annex A – All domains but Information Security Aspects of
Business Continuity – A5 (1), A6 (2), A7 (1), A8 (2), A9 (7), A10 (2), A11 (1),
A12 (6), A13 (1), A14 (2), A15 (2), A16 (3), A18 (5)
27017 Depth – Supplemental Controls
Locking Up Your Cloud Environment | 8
• 7 extended controls (27017 Annex A) – Covers domains A6, A8, A9, A12, and A13 – Act as additional control to complement that of
Annex A
27017 Depth – Extended Controls
Locking Up Your Cloud Environment | 9
27017 – How Unique? • Not very unique • Most CSPs are already designed to meet 27017 • Supplemental Control Example • Extended control
Locking Up Your Cloud Environment | 11
• Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
• Issued August 1, 2014 • Commonly accepted control objectives, controls and
guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
• Supplement to ISO 27002 for public cloud providers
ISO 27018 Overview
Locking Up Your Cloud Environment | 12
• Alignment to ISO 27001 Annex A / ISO 27002 • Public cloud PII protection control implementation
guidance • Not intended to be a unique control set
– e.g. A6.1.2 – segregation of duties
• Recommendations not Requirements – Should v Shall
27018 Design
Locking Up Your Cloud Environment | 13
• 14 supplemental controls to ISO 27001 Annex A – All domains but Asset Management; System
Acquisition, Development, and Maintenance; Supplier Relationships; and Information Security Aspects of Business Continuity Management
– A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4), A13 (1), A16 (1), A18 (1)
27018 Depth – Supplemental Controls
Locking Up Your Cloud Environment | 14
• 25 extended controls (based on 11 privacy principles of ISO/IEC 29100) – Covers:
• Consent and Choice; Purpose legitimacy and specification; Data minimization; Use, retention and disclosure limitation; Openness, transparency and notice; Accountability; Information security; and Privacy compliance
– Act as additional control to complement that of Annex A
27017 Depth – Extended Controls
Locking Up Your Cloud Environment | 15
• More unique than 27017 • Incorporation of privacy principles • Supplemental Control Example
– A11.2.7– Secure disposal or re-use of equipment – Equipment containing storage media that may possibly contain PII should be
treated as though it does
• Extended control – A.4 – Data Minimization – Temporary files and documents should be erased or destroyed within a
specified, documented period
27017 – How Unique?
Locking Up Your Cloud Environment | 17
• Modify the scope statement as applicable • Ensure appropriate inclusion through identification of:
– Internal and external issues – Needs and expectations of interested parties – Interfaces and dependencies performed by the organization and
those performed by other organization
Design – Scope (Clause 4)
Locking Up Your Cloud Environment | 18
• Identification of supplemental and extended controls through the risk assessment process
• Controls should be necessary to mitigate risk applicable to scope
• Apply appropriate treatment if necessary
Design – Risk Assessment (Clause 6)
Locking Up Your Cloud Environment | 19
• Incorporate supplemental / extended controls into the SOA • Justification of inclusion / exclusion still apply (for entire
related standard) • Determine if the supplemental / extended control is in place
Design – Statement of Applicability (Clause 6)
Locking Up Your Cloud Environment | 20
• Modify the information security objectives as appropriate • Ensure to measure any modification to the information
security objectives
Design – Objectives (Clause 6)
Locking Up Your Cloud Environment | 21
• Measure key supplemental / extended controls to ensure effectiveness
• Ensure appropriate and proper criteria is applied • Include relevant personnel
Monitoring – Measurement (Clause 9.1)
Locking Up Your Cloud Environment | 22
• Incorporation into audit plan / program • Assessment of results • Planned remediation
Monitoring – Internal Audit (Clause 9.2)
Locking Up Your Cloud Environment | 24
• Stage 2 incorporation of 27017 and/or 27018 • Statement of applicability acts as a audit road map
Initial Certification
Locking Up Your Cloud Environment | 25
• Perform regular maintenance review to ensure continued conformance and operating effectiveness of the ISMS
• Apply heavier focus on inclusion of ISO 27017 and/or ISO 27018
Surveillance / Recertification
Locking Up Your Cloud Environment | 26
• Specifically focus on inclusion of ISO 27017 and/or ISO 27018
• Assess relevant elements of ISMS and supplemental / extended controls
Scope Expansion
Locking Up Your Cloud Environment | 27
• Included as a part of the scope statement, related to SOA based on ISO 27017 and/or ISO 27018
• Available on certificate directory • No unique mark or certificate issued for ISO 27017
and/or ISO 27018 (i.e. unaccredited certificates)
Inclusion on Certificate
Locking Up Your Cloud Environment | 29
• Relatively new • Market adoption driven by customers
and/or competitors • General cloud application v. CSA
STAR Program
ISO 27017
Locking Up Your Cloud Environment | 30
• Greater acceptance • Withdrawal of Safe Harbor • Greater interest in privacy and security,
specifically for cloud services
ISO 27018