Users place a lot of trust in cloud providers to keep their data safe and secure.

To this end ISO/IEC 27017 & 27018 aim to reduce the risk of security problems by providing enhanced controls for cloud service providers and cloud service customers.

What does the standard provide?

The standard provides cloud-based guidance on 37 of the controls in ISO/IEC 27002 but also features seven new cloud controls that address the following:

Who is responsible for what between the cloud service provider and the cloud customer.
The removal/return of assets when a contract is terminated.
Protection and separation of the customer’s virtual environment.
Virtual machine configuration.
Administrative operations and procedures associated with the cloud environment.
Cloud customer monitoring of activity within the cloud.
Virtual and cloud network environment alignment.

Unlike many other technology-related standards ISO/IEC 27017 clarifies both party’s roles and responsibilities to help make cloud services as safe and secure as the rest of the data included in a certified information management system.

ISO 27017 is about information security controls for cloud services (generic), and ISO 27018 is specifically developed for protecting privacy in the cloud.

ISO/IEC 27018 Information technology - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

The cloud offers organizations and consumers a variety of benefits: cost savings, flexibility and mobile access to information top the list. It also raises concerns about data protection and privacy; particularly around personally identifiable information (PII). PII includes any piece of information that can identify a specific user. The more obvious examples include names and contact details or your mother’s maiden name. But ones people may not readily think of are medical records, IP addresses and banking statements.

Used with ISO/IEC 27001, ISO/IEC 27018 has been published to allow Cloud Service Providers whose infrastructure is certified to the standard to tell their existing and potential customers that their data is safeguarded and won’t be used for any purposes for which they don’t specifically give consent.

Conclusion

Before moving on, take a minute to note down any security measure you can think of that might fall under the umbrella of IT infrastructure security.