The ISO (International Organisation for Standardisation) is the world's largest developer of international standards, for pretty much everything. So it should come as no surprise that this includes IT security in the shape of ISO 27001 or ISO/IEC 27001 (formerly BS 7799) to be precise.
This standard formally specifies a framework for information security management of risks to your business and as such requires a pretty comprehensive audit to identify where the risks to the business may be. Unsurprisingly, many enterprises look to their cloud providers to be certified to ISO 27001 standards (and ISO 27002, which is a code of practice for information security controls) to demonstrate that they take security seriously. But these are broad brushes, sweeping across information security management systems regardless of where they may be. Perhaps what is really needed is some kind of additional, and cloud-specific, ISO standard?
Which is where ISO 27017 and ISO 27018 come in as new standards for cloud services. The latter, which was released into the wild and published last year, has the formal title of being the "code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors" and provides guidance on the privacy of cloud-hosted data. ISO 27017 is still in draft form, expected to be published towards the end of this year, and will cover information security management for cloud systems outside of the privacy remit.
ISO 27018 should be of most interest to those service providers offering public cloud solutions because these act as a PII 'processor' in the eyes of data protection regulation. What the standard isn't is something that covers individuals processing data in the cloud or even controllers (or customers) processing client data. It's purely aimed at cloud service providers acting as processors and the privacy controls they have in place. It's based around, and builds on, the ISO 27002 standard and shares similarities with the financial services specific ISO 27015, and certification should display a good understanding of the privacy safeguards required in cloud solutions.
ISO 27017, whilst still in draft, is widely expected to be released by the end of this year. Of the two, it is actually the more interesting and wide-ranging as it will provide the necessary guidance on specific cloud-computing elements of information security controls. As such, it also can be seen as supplemental to ISO 27001/27002, and ISO 27018 seeing as that's already out there. It will offer a standardised security grounding for providers and customers, and if adoption takes off could be a useful differentiator in a crowded cloud marketplace. If nothing else, ISO compliance should help alleviate some of the security concerns that - survey after survey inform us - are the overriding reason holding back migration to the cloud for enterprises across the UK.
