How can ISO 27017 and 27018 help secure the cloud?

Closeup view of a book bearing the title "Standards" on the spine
(Image credit: Shutterstock)

The ISO (International Organisation for Standardisation) is the world's largest developer of international standards, for pretty much everything. So it should come as no surprise that this includes IT security in the shape of ISO 27001 or ISO/IEC 27001 (formerly BS 7799) to be precise.

This standard formally specifies a framework for information security management of risks to your business and as such requires a pretty comprehensive audit to identify where the risks to the business may be. Unsurprisingly, many enterprises look to their cloud providers to be certified to ISO 27001 standards (and ISO 27002, which is a code of practice for information security controls) to demonstrate that they take security seriously. But these are broad brushes, sweeping across information security management systems regardless of where they may be. Perhaps what is really needed is some kind of additional, and cloud-specific, ISO standard?

Which is where ISO 27017 and ISO 27018 come in as new standards for cloud services. The latter, which was released into the wild and published last year, has the formal title of being the "code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors" and provides guidance on the privacy of cloud-hosted data. ISO 27017 is still in draft form, expected to be published towards the end of this year, and will cover information security management for cloud systems outside of the privacy remit.

ISO 27018 should be of most interest to those service providers offering public cloud solutions because these act as a PII 'processor' in the eyes of data protection regulation. What the standard isn't is something that covers individuals processing data in the cloud or even controllers (or customers) processing client data. It's purely aimed at cloud service providers acting as processors and the privacy controls they have in place. It's based around, and builds on, the ISO 27002 standard and shares similarities with the financial services specific ISO 27015, and certification should display a good understanding of the privacy safeguards required in cloud solutions.

ISO 27017, whilst still in draft, is widely expected to be released by the end of this year. Of the two, it is actually the more interesting and wide-ranging as it will provide the necessary guidance on specific cloud-computing elements of information security controls. As such, it also can be seen as supplemental to ISO 27001/27002, and ISO 27018 seeing as that's already out there. It will offer a standardised security grounding for providers and customers, and if adoption takes off could be a useful differentiator in a crowded cloud marketplace. If nothing else, ISO compliance should help alleviate some of the security concerns that - survey after survey inform us - are the overriding reason holding back migration to the cloud for enterprises across the UK.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at