How to use ISO 27017 to manage legal risks related to geographical location

Cloud services are often sold as solutions that can be anywhere and everywhere. All that is necessary is a computer and a network connection to work with data, applications, and resources. While from user’s point of view this is true, cloud services ultimately rely on physical infrastructure, which has to be somewhere, and providers’ decisions about where to deploy this infrastructure may bring risks that should be treated.

This article will present some legal geographical aspects that cloud services users should consider while assessing risks of a cloud service provider to deliver the expected results, and how ISO 27001 and ISO 27017, a code of practice for information security for cloud services, can help to properly address and define security controls.

Why should I be concerned about where my cloud service provider deploys its infrastructure?

Because every place has some degree of laws, regulations, and other legal issues that define how services can be performed or delivered, and if your cloud provider operates in a place (e.g., city, state, or country) other than yours, the different legal views of the service may give rise to unacceptable risks to your business, requiring a review of the service’s conditions or at least adjustments on the risk treatment plan.

How are cloud services, geographical location, and legal issues related to each other?

Before talking about how legal issues may affect cloud services risks, it is necessary to understand how they relate to geographical location, and the first thing we need to know is that cloud service physical infrastructure deployment must be approached from two points of view: as centralized and decentralized resources.

In a centralized resources point of view, a cloud service physical infrastructure is concentrated to take advantage of economy of scale (the cost per unit decreases as the operation’s size increases), resulting in considerable size facilities in a single place, with an equally considerable need for resources.

In a decentralized resources point of view, a physical infrastructure is spread to increase availability (no localized event can bring down the service) and market penetration (availability for as many users as possible), resulting in facilities in many different places (e.g., cities, states, and countries).

Finally, after selecting the most promising deployment places, the final decision considers how laws, regulations, and other legal issues applicable to potential sites may impact the provider’s operational costs and profitability, and this is where cloud service users should pay attention, because the best solution for providers does not necessarily means the best one for customers, and in some cases is just the opposite.

Legal risks to cloud services derived from geographical location

Considering cloud service infrastructure deployed in a place, or places, other than that of their provider’s headquarters, or from where their clients operate, this can give rise to risks like:

  • Lack of, or conflicting legal requirements: In case of litigation between user and provider, gray areas in legal systems involved can lead to battles that can last for years.
  • Trends in legal trials’ results: Depending on where the causes may be adjudicated, historical or cultural aspects may turn results more favorable to one party or another.
  • Government power over the data: Local government may have indiscriminate authority to access data stored in cloud infrastructures.
  • Limited technologies and controls: Some practices and technologies may not be allowed, or enforced, undermining service performance and protection.

How can ISO 27001 and ISO 27017 help deal with a cloud service’s geographical issues?

According to ISO 27001, an organization should first identify legal requirements (clause 4.2) applicable to its cloud services and perform a risk assessment (clause 6.1.2) to identify, analyze, and evaluate legal risks related to infrastructure location of cloud service providers. Useful information may be found on providers’ sites (e.g., “About us,” “Our services,” etc.) and Internet searches. Also, try to ask directly from them. The information you will find on your own, and the helpfulness with which providers will give information, or justify not providing it, will say a lot about them.

Situations like limited access to resources, locations in unsafe areas, and loopholes in legal requirements should trigger an alert.

Situations like large facilities in safe areas, near critical resources, and legally clear and fair terms of service should improve evaluation.

The second thing is ensuring that selected providers will fulfill the security controls to risks you deem relevant. ISO 27001 recommends, through control A.15.1.2 – Addressing security within supplier agreements, that signed agreements (e.g., SLAs, Terms of Service, etc.) include all relevant information security requirements. Examples to be included, based on ISO 27001 Annex A controls, are implementation of:

  • external and internal perimeter defense (A.11.1.1 – Physical security perimeter)
  • access controls (A.11.1.2 – Physical entry controls)
  • resource planning (A.12.1.3 – Capacity management)
  • information security activities and processes to deal with disaster situations (A.17.1 – Information security continuity)
  • right to audit provider’s infrastructure (A.18.2.1 – Independent review of information security)

These examples are recommendations from ISO 27017 complementing ISO 27001 Annex A controls:

  • identification of relevant authorities considering location where data and information are stored and processed (A.6.1.3 – Contact with authorities)
  • definition of cryptography functionalities to be made available by the cloud service provider that are both fit to business purposes and accepted by laws and regulations of locations where providers have their infrastructure (A.10.1.1 – Policy on the use of cryptographic controls)

Learn more about security with suppliers and shared responsibilities by reading these articles: 6-step process for handling supplier security according to ISO 27001 and Resolving cloud security concerns by defining clear responsibilities according to ISO 27017.

Cloud infrastructure location is not irrelevant

One of cloud computing’s greatest operational benefits, releasing you from operational load, also hides some perils by reducing the user’s perception of common infrastructure risks and adding new risks associated to spreading this same infrastructure in regions with different legal requirements.

By using ISO 27001 controls and ISO 27017 recommendations, you can retake control of such risks and ensure that cloud service providers have the ability to offer the expected service performance with proper protection of information.

Use this free online training  ISO 27001 Foundations course to learn  how to handle legal requirements.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.