Family Affair: Using ISO 27001 to conform to ISO 27017 and ISO 27018

ISO 27000 Family – Information Security Management Systems

The ISO 27000 family of standards is related to an organization’s information security management systems, or ISMS. This international standard helps organizations by providing a clear set of requirements that can be used to manage the security of the business’ assets. An ISMS is a systematic approach used to manage the overall information security program to ensure that it remains effective.

One of the benefits of ISO 27001 certification is that it assesses the entire scope of information security, including the technical controls as well as management’s oversight of information security. This all-encompassing approach secures people, processes, and technologies to minimize risk.

Read more: ISO 27001: The Four Most Common Post-Certification Pitfalls

ISO 27001

Organizations can achieve certification against ISO 27001 to demonstrate the maturity of the company’s information security environment. This standard provides a methodology for the establishment, implementation, operation, management, and maintenance of information security within an organization.

There are seven mandatory clauses including objectives for organizations seeking conformance to the ISO 27001 standard:

  • Context of the organization
  • Leadership
  • Planning
  • Support
  • Operation
  • Performance Evaluation
  • Improvement

Additionally, there are 14 discretionary controls defined in the Annex:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

Benefits of ISO 27001 Certification

ISO 27001 can help organizations reduce risk, optimize operations within an organization due to clearly defined responsibilities and business processes, and build a culture of information security. The framework also helps organizations in reducing security incidents and meeting additional compliance requirements.

In addition, the standard helps organizations implement controls that are relevant to their unique risks and assets, instead of providing generalized guidance that isn’t applicable to the organization. This holistic, tailored approach makes the ISO 27001 standard functional for organizations of any size, in any industry.

How to Achieve ISO 27001 Certification

Certification should be conducted by an ISO 27001 accredited certification body. Certification will include the following audit activities:

  • Pre-Assessment: Although not required to achieve certification, for organizations who have not undergone the ISO 27001 process before, the pre-assessment is conducted for organizations who need additional assistance in becoming ISO 27001 compliant. A-LIGN simulates the certification process by performing a review of the company’s scope, policies, procedures, and processes to identify any gaps that may need remediation prior to certification.
  • Stage 1 Audit: A-LIGN reviews the organization’s scope, policies, procedures, and processes to confirm conformance with the documentation requirements of ISO 27001.
  • Stage 2 Audit: Once organizations have completed stage 1, the stage 2 tests the conformance of the information security management system with ISO 27001 and the company’s internal policies and procedures. This includes interviews, inspections of documented evidence, and observations of organizational processes.
  • Surveillance Audit: To ensure that the organization’s ISMS continues to conform to ISO 27001 standards, surveillance audits are performed for two years following certification.

ISO 27001 certifications are valid for three years.

ISO 27017

ISO 27017, or Code of Practice for Information Security Controls Based on ISO/IEC 27001 for Cloud Services, provides guidance based upon ISO 27002 for the cloud services industry.

The standard provides guidance specific to cloud-service providers on 37 of the controls in ISO 27002, but also features seven new controls:

  • Shared roles and responsibilities within a cloud computing environment
  • Removal of cloud service customer assets
  • Segregation in virtual computing environments
  • Virtual machine hardening
  • Administrator’s operation security
  • Monitoring of cloud services
  • Alignment of security management for virtual and physical networks

This standard is relevant to organizations that provide cloud-based services, and for any organization that stores information in the cloud.

Benefits of ISO 27017

Any cloud provider that is entrusted with sensitive customer data could potentially benefit from ISO 27017. The standard assists organizations by providing guidance unique to the cloud environment, and addresses pain points for many cloud providers such as the delineation of roles and responsibilities within a cloud computing environment.

This standard can help organizations enhance their information security management system to the specific needs of their environment. Additionally, utilizing the ISO 27017 standard allows for organizations to reduce the risk inherent to cloud-service organizations, and the potential cost of a breach.

How to leverage certification for ISO 27017

Because ISO 27017 is not a management standard, organizations cannot be certified strictly against the ISO 27017 controls. However, A-LIGN can assist organizations by adding the additional ISO 27017 controls to the scope of an ISO 27001 certification audit to ensure that companies can demonstrate conformance to the ISO 27017 standard.

Read more: Strengthening the Cloud: ISO 27017 and ISO 27018

ISO 27018

ISO 27018, or Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting is PII Processors, is a standard designed for cloud computing organizations who are responsible for handling personally identifiable information.

ISO 27018 provides the following controls to supplement those set within ISO 27001 and ISO 27002:

  • Customer and end-user control rights
  • Restriction on disclosure to or access of third parties to PII
  • Treatment of media containing PII

Benefits of ISO 27018

There is a need for organizations that handle PII to ensure this information is secured. This standard creates an additional level of customer confidence in ensuring that standards are in place to protect the information, allowing both the customer and end-user to be assured that their information is safe.

This standard can help organizations enhance their information security management system to the specific needs of their environment. Additionally, utilizing the ISO 27018 standard allows for organizations to minimize the risk inherent to cloud-service organizations, and the potential cost of a breach.

How to leverage certification for ISO 27018

Again, because ISO 27018 is not a management standard, organizations cannot be certified strictly against the ISO 27018 controls. However, A-LIGN can assist organizations by adding the additional ISO 27018 controls to the scope of an ISO 27001 certification audit to ensure companies can demonstrate conformance to the ISO 27018 standard.

Choosing the Right ISO Standard

The ISO 27000 family of standards provides options for organizations to implement the controls that are relevant to their business needs, their customer needs, and their end-user needs.  As an accredited certification body, A-LIGN can conduct the certification audits to demonstrate conformance with ISO 27001, ISO 27017 and ISO 27018.