Strengthening Your ISO 27001 Information Security Management System with the ISO 27017 and ISO 27018 Codes of Practice

Tom Martin Ball, Alcumus ISOQAR’s Information Security Sector Manager, looks at how you can make your ISMS even more resilient.

Share this story

Written by: Alcumus
11th June

Tom Martin Ball, Alcumus ISOQAR’s Information Security Sector Manager, looks at how you can make your ISMS even more resilient.

The ISO 27001 Information Security Management System standard has become a fixture of many industries and organisations. And just like a successful film franchise, it has spawned several sequels and spin-offs.
 
In some cases, these are ‘Codes of Practice’ related to specific industries or applications. There are over 40 of these and some have multiple parts. Some are auditable standards, some are not.
 
Two that have been drawing a lot of attention are:

  • ISO 27017 Code of Practice for Information Security Controls based on ISO/IEC 27002 for Cloud Services.
  • ISO 27018 Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors.

Like ISO 27001, they are all part of the ISO/IEC 27000 family of standards.
 
Obviously, both are driven by the rise of cloud systems. ISO 27018 has the additional driver of new legal and regulatory requirements of GDPR (General Data Protection Regulations) and DPA (Data Protection Act) 2018.
 
Remember - the clue is in the names of the codes - these codes are only of relevance for organisations using ‘the cloud’. ISO standard numbers get bandied around with little understanding and I have had organisations whose clients have asked them if they are certified even though they do not use the cloud!
 
So just to emphasise - ‘the cloud’ is an absolute necessity. This applies to both codes of practice.

ISO 27017 Code of Practice for Information Security Controls based on ISO/IEC 27002 for Cloud Services

 
ISO 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. When implementing this code, you select the controls that are relevant to your organisation.

Some of the additional controls that ISO 27017 caters for include:

  • Who is responsible for what between the cloud service provider and the cloud customer?
  • The removal or return of assets at the end of a contract.
  • Protection and separation of the customer's virtual environment.
  • Virtual machine configuration.
  • Administrative operations and procedures associated with the cloud environment.
  • Cloud customer monitoring of activity.
  • Virtual and cloud network environment alignment.

ISO 27018 Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors

 
ISO 27018 helps cloud service providers who process personally identifiable information (PII) to assess risk and implement controls for protecting PII.
 
The document provides guidance on many new controls including:

  • A requirement to cooperate with PII controllers.
  • Maintenance of PII principals’ rights.
  • Compliance with fundamental privacy requirements.
  • Transparency and accountability.
  • Requirements for sub-contracted processing.

Structure


Both ISO 27017 and ISO 27018 are based upon ISO 27001 with a section 4 to 10 following the same pattern as the ‘parent’ standard.
 
The key feature however is they have their own Annex A of controls. This is in addition to the Annex A in 27001. (Some of these have the same numbering as ISO 27001 so they can be a little confusing.)

What to do next?

 
As both are ‘codes of practice’ rather than standalone ISO management systems, they can be added to an existing ISO 27001 management system as extra control.
 
Alcumus ISOQAR is offering both codes and clients who have implemented them have found it to be a painless process that has brought great benefit. In most cases, existing clients have added these as Extensions to Scope (ETS) to their existing ISO 27001 certification.
 
To discuss whether ISO 27017 and/or ISO 27018 is right for your organisation, just get in touch and we’ll talk it through with you.