Back in 2014, and without much fanfare, we completed our ISO 27001:2013 certification. It was the final piece of a 12 month plan to mature our Security and Privacy Programs in order to exceed the expectations of our customers, but more importantly, improve the controls that safeguard the confidentiality, integrity, and availability of customer data.
Here we are a couple of years later, and ISO 27001:2013 certification is quickly becoming a baseline requirement for cloud service providers to achieve and maintain, typically after they get a SOC 2 report in the hands of their customers and prospects. To be frank, ISO 27001:2013 was not created specifically with cloud service providers in mind. There was also some adjustment period for certification bodies, auditors, and to a certain extent, cloud service providers themselves, to fully align ISO 27001:2013 requirements to your typical cloud service provider environment.
Nevertheless, the International Organization for Standardization (ISO), was not idle, and a year after ISO 27001:2013 was published, they published another standard that was created specifically for cloud service providers. The ISO 27018:2014 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors was useful to most cloud service providers right out of the box. It helped to clearly define requirements for cloud service providers acting as data processors, which pretty much covers most of them, in regards to the handling of personal data.
One of the added benefits of ISO 27018:2014 was that it gave cloud service customers, as the data controllers, something to use when evaluating data processors. In other words, highlighting key areas for customers to review with their cloud service providers as part of their first time or ongoing due diligence. It is important to note that data controllers are ultimately responsible for the data they are entrusting to data processors, so the importance of such knowledge cannot be overstated.
With last year’s increased focus on privacy concerns, the timing of this standard and of cloud service providers adopting it, could not have been better planned. Even better, instead of being a standalone standard, ISO 27018:2014 built upon ISO 27001:2013, thus ensuring a quick path to adoption by entities already certified or on the path to become certified. In short, increasing the inherent value of this certification.
Late last year, ISO released ISO 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services. Similar to the previous standard, it builds upon ISO 27001:2013. However, whereas ISO 27018:2014 focused on privacy for cloud service providers, this new standard focuses on information security for both cloud service providers as the data processors, and cloud service customers as the data controllers. It revisits specific areas of ISO 27001:2013 Annex A and ISO 27002:2013 to provide explicit guidance for both types of entities.
Once again, the timing of this publication is in line with an evolving tech environment that continues to see frequent data breaches and ever increasing cloud adoption. Arming both cloud service providers and cloud service customers with information they can use to augment their security programs, while building on (potentially) existing controls, is literally the rising tide that lifts all boats.
If you have not embarked upon the ISO 27001:2013 road yet, the beginning of the year is a good time to start. Even if you don’t think you are ready to go through certification, just going through the process will help point out areas of improvement. If you have embarked upon this path, then consider augmenting it with ISO 27018:2014 and ISO 27017:2015, especially if you are a cloud service provider. It’s by no means a failsafe way to protect your data, but it’s a great roadmap to follow on the never ending road to security and compliance.