ISO 27001 vs. ISO 27017 – Information security controls for cloud services
The future of ISO 27017, together with ISO 27018, seems quite bright: they define security standards for today’s fastest-growing industry – cloud computing. This topic is so big and so hot, that these two standards might achieve the same level of success as their “older brothers” ISO 27001 and ISO 27002.
What is ISO 27017?
The official name of ISO/IEC 27017 is Code of practice for information security controls based on ISO/IEC 27002 for cloud services, which means this standard is built upon the existing security controls of ISO 27002. (By the way, security controls in ISO 27002 and ISO 27001 are the same, only ISO 27002 explains them in greater detail – see this article: ISO 27001 vs. ISO 27002.) In other words, ISO 27017 suggests additional security controls for the cloud, where ISO 27002 does not adequately cover this area.
By the way, as of the publication date of this article, ISO 27017 is still in FDIS (final draft) status – it is expected that the final version of the standard will be published sometime in December 2015.
ISO 27017 generally focuses on the protection of the information in the cloud services, while ISO 27018 focuses on protecting the personal data, as I described in my article ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud.
Gray zone for certification
Because of its predicted popularity, some certification bodies are planning to start certification against ISO 27017 – since ISO 27017 is not a management standard, regular certification won’t be possible, so certification bodies will probably issue some kind of “statement of compliance.”
This is what some certification bodies have started to do with ISO 27018 (published in 2014), and they seem to do this as part of the wider ISO 27001 certification audit. In other words, companies that want to get the ISO 27017 certificate will probably have to go through ISO 27001 certification, and then as part of that audit they will also get some kind of statement that they are compliant with ISO 27017 as well.
Degree of change of cloud security controls in ISO 27018
Let’s see to what level does ISO 27017 suggest that ISO 27001/ISO 27002 should be changed:
|ISO 27001/ISO 27002 control section||Level of change in ISO 27017|
|5 Information security policies||Moderate|
|6 Organization of information security||Moderate|
|7 Human resource security||Moderate/Low|
|8 Asset management||Moderate/Low|
|9 Access control||High|
|11 Physical and environmental security||Moderate/Low|
|12 Operations security||Moderate/High|
|13 Communications security||Moderate/High|
|14 System acquisition, development and maintenance||Moderate|
|15 Supplier relationships||Moderate/High|
|16 Information security incident management||Moderate|
|17 Information security aspects of business continuity management||Low|
So, ISO 27017 does suggest changes to most of the control sections – the biggest changes are suggested in the Access control area, for example: 9.2.1 User registration and deregistration, 9.2.2 User access provisioning, 9.2.3 Management of privileged access rights, 9.4.1 Information access restriction, and 9.4.4 Use of privileged utility programs.
If we compare ISO 27017 and ISO 27018 in the type of proposed changes, you’ll notice that ISO 27017 proposes more changes in the existing controls, while ISO 27018 proposes more new controls.
New controls for cloud security in ISO 27017
ISO 27017 suggests seven new controls, and the numeration of these controls is compatible with the existing structure of ISO 27001/ISO 27002:
- 6.3.1 Shared roles and responsibilities within a cloud computing environment
- 8.1.5 Removal of cloud service customer assets
- 9.5.1 Segregation in virtual computing environments
- 9.5.2 Virtual machine hardening
- 12.1.5 Administrator’s operational security
- 12.4.5 Monitoring of cloud services
- 13.1.4 Alignment of security management for virtual and physical networks
So, there’s nothing spectacular here – mostly common sense when speaking about cloud security.
Which one to go for – ISO 27001, ISO 27017, or ISO 27018?
The more standards that exist, the more difficult it becomes to choose… In any case, ISO 27001 is a perfect basic standard for all companies that want to protect their information – it is still by far the most popular standard worldwide, it provides the framework for managing security, and it is the only one against which a (real) certificate can be issued.
ISO 27017 is certainly appealing to companies that offer services in the cloud, and want to cover all the angles when it comes to security in cloud computing. On the other hand, ISO 27018 is more focused toward companies that handle personal data, and want to make sure they protect this data in the most appropriate way.
So, it seems to me that for cloud companies we will most often see a combination of ISO 27001 and ISO 27017 implementation, and cloud companies with lots of personal data will probably go for all three: ISO 27001, ISO 27017, and ISO 27018.