Public Sector authorities and the Third Sector are becoming more active in assessing and adopting the XaaS strategy for service delivery, but it’s not without careful and thorough consideration.
If you have had cause to assess the benefits derived from a move to cloud delivered applications and services, then you will also have augmented this work by completing a risk assessment. Most likely you have had to consider the risk of poor quality of service, poor network performance, struggled to identify tangible measurable cost savings and probably most importantly the risk factors associated with security and privacy of data.
At Protocol Policy Systems we know about these concerns because through our work in the Local Authority and Third Sector we assisted organisations commence a journey to improve their security posture. Getting foundational comprehensive IT policy content in place helps develop and improve IT users behaviour, when properly socialised. A key benefit of this improvement is that the deployment of new services and technologies is easier and less risky.
Whether your organisation is already a consumer of “The Cloud” or is planning a XaaS adoption in the future then it is worthwhile being aware of and understanding the relevance of the ISO 27017 and ISO 27018 standards. Compliance to these Cloud focussed standards will help you raise the level of assurance you need to have in place internally, with your customers and more importantly with your Cloud Service Provider (CSP).
What do ISO 27017 & ISO 27018 cover?
ISO 27017 is a security code of conduct pertaining to the procurement of cloud services.
ISO27017 will be of interest to both CSPs and Cloud Services Customers (CSC) as it outlines compliance requirements for each. It extends the 37 existing security controls covered in ISO27002 to incorporate cloud based guidance plus adds seven new cloud based controls –
- Responsibilities for each party – CSP and CSC – who does what?
- Contract termination arrangements – for the removal/return of assets
- The CSC and CSP are expected to work with each other in documenting key aspects of the cloud environment – for example the CSP needs to be able to provide information on critical operations and procedures as and when customers require it.
- Monitoring of activity within the cloud by the customer
- Separation and protection of the customer’s virtualised environment
- Virtual machine configuration requirements
- Aligning of the Virtual and cloud network environments
ISO 27018 is focussed on the privacy and protection of Personally Identifiable Information (PII) in the Cloud.
ISO 27018 provides the following key guidelines to CSP’s
- PII may not be used for business marketing or advertising purposes. The customer has control over their own data and the CSP is required to process PII as instructed by the customer – for example a customer can consent to having their PII used for marketing and advertising purposes.
- CSP’s are required to train employees to handle and manage PII and there are specific guidelines on the storage, restoration and movement of data.
- In the event of a data breach the CSP must notify the customer immediately plus maintain comprehensive details regarding the incident and ensure customers will continue to be compliant with their own security obligations.
- A CSP must disclose the names and details of any sub-processors of PII data they use before concluding any customer contract. This requirement extends to any changes of sub-processors part way through a contract period and allows for a termination of contract if the customer is not happy with a change of sub-processors.
Could it be time for you to re-assess your organisations current IT policies in line with ISO 27002, the code of practice for information security controls and factor in ISO 27017 & ISO 27018 standards?
If so, please contact firstname.lastname@example.org to arrange a time and date to discuss how our IT policy management system and subject matter experts can assist you.
P.S. Watch out for our next brief on General Data Protection Regulation (GDPR).