Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Locking Up Your Cloud Environment | 1
LOCKING UP YOUR
CLOUD ENVIRONMENT
An Introduction to ISO/IEC 27017
and ISO/IEC 27018
Locking Up Your Cloud Environment | 2
• Introduction
• ISO 27017 Overview
• ISO 27018 Overview
• ISO 27017 and ISO 27018 A...
Locking Up Your Cloud Environment | 3
RYAN MACKIE
ISO Certification Practice Director
Locking Up Your Cloud Environment | 4
ISO 27017
Overview
Locking Up Your Cloud Environment | 5
• Based on ISO/IEC 27002 for cloud providers
• December 15, 2015
• Applicable to the...
Locking Up Your Cloud Environment | 6
• Alignment to ISO 27001 Annex A / ISO 27002
• Cloud server provider control guidanc...
Locking Up Your Cloud Environment | 7
• 35 supplemental controls to ISO 27001 Annex A
– All domains but Information Securi...
Locking Up Your Cloud Environment | 8
• 7 extended controls (27017 Annex A)
– Covers domains A6, A8, A9, A12, and A13
– Ac...
Locking Up Your Cloud Environment | 9
27017 – How Unique?
• Not very unique
• Most CSPs are already designed to meet 27017...
Locking Up Your Cloud Environment | 10
ISO 27018
Overview
Locking Up Your Cloud Environment | 11
• Code of practice for protection of personally identifiable
information (PII) in p...
Locking Up Your Cloud Environment | 12
• Alignment to ISO 27001 Annex A / ISO 27002
• Public cloud PII protection control ...
Locking Up Your Cloud Environment | 13
• 14 supplemental controls to ISO 27001 Annex A
– All domains but Asset Management;...
Locking Up Your Cloud Environment | 14
• 25 extended controls (based on 11 privacy principles of
ISO/IEC 29100)
– Covers:
...
Locking Up Your Cloud Environment | 15
• More unique than 27017
• Incorporation of privacy principles
• Supplemental Contr...
Locking Up Your Cloud Environment | 16
ISO 27017 and ISO
27018 Application
Locking Up Your Cloud Environment | 17
• Modify the scope statement as applicable
• Ensure appropriate inclusion through i...
Locking Up Your Cloud Environment | 18
• Identification of supplemental and extended controls
through the risk assessment ...
Locking Up Your Cloud Environment | 19
• Incorporate supplemental / extended controls into the SOA
• Justification of incl...
Locking Up Your Cloud Environment | 20
• Modify the information security objectives as appropriate
• Ensure to measure any...
Locking Up Your Cloud Environment | 21
• Measure key supplemental / extended controls to ensure
effectiveness
• Ensure app...
Locking Up Your Cloud Environment | 22
• Incorporation into audit plan / program
• Assessment of results
• Planned remedia...
Locking Up Your Cloud Environment | 23
ISO 27017 and ISO
27018 Audit Approach
Locking Up Your Cloud Environment | 24
• Stage 2 incorporation of 27017 and/or 27018
• Statement of applicability acts as ...
Locking Up Your Cloud Environment | 25
• Perform regular maintenance review to ensure continued
conformance and operating ...
Locking Up Your Cloud Environment | 26
• Specifically focus on inclusion of ISO 27017 and/or ISO
27018
• Assess relevant e...
Locking Up Your Cloud Environment | 27
• Included as a part of the scope statement, related to
SOA based on ISO 27017 and/...
Locking Up Your Cloud Environment | 28
Market Acceptance of
ISO 27017 and ISO 27018
Locking Up Your Cloud Environment | 29
• Relatively new
• Market adoption driven by customers
and/or competitors
• General...
Locking Up Your Cloud Environment | 30
• Greater acceptance
• Withdrawal of Safe Harbor
• Greater interest in privacy and ...
Locking Up Your Cloud Environment | 31
Thank You
Prochain SlideShare
Chargement dans…5
×

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018

885 vues

Publié le

ISO 27017 /27018 is the first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII).

Discover:
• Background of ISO 27017 and 27018
• Scope and Purpose
• Comparison with ISO 27001 and 27002
• Future of ISO 27017 with ISO 27018
• Challenges and Benefits
• Certification Process and Next Steps

Publié dans : Services
  • Soyez le premier à commenter

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018

  1. 1. Locking Up Your Cloud Environment | 1 LOCKING UP YOUR CLOUD ENVIRONMENT An Introduction to ISO/IEC 27017 and ISO/IEC 27018
  2. 2. Locking Up Your Cloud Environment | 2 • Introduction • ISO 27017 Overview • ISO 27018 Overview • ISO 27017 and ISO 27018 Application • ISO 27017 and ISO 27018 Audit Approach • Market Acceptance of ISO 27017 and ISO 27018 • Q&A Agenda
  3. 3. Locking Up Your Cloud Environment | 3 RYAN MACKIE ISO Certification Practice Director
  4. 4. Locking Up Your Cloud Environment | 4 ISO 27017 Overview
  5. 5. Locking Up Your Cloud Environment | 5 • Based on ISO/IEC 27002 for cloud providers • December 15, 2015 • Applicable to the provision and use of cloud services • Supplement to ISO 27002 for cloud providers ISO 27017 Overview
  6. 6. Locking Up Your Cloud Environment | 6 • Alignment to ISO 27001 Annex A / ISO 27002 • Cloud server provider control guidance • Not intended to be a unique control set – e.g. A6.1.2 – segregation of duties • Recommendations not Requirements – Should v Shall 27017 Design
  7. 7. Locking Up Your Cloud Environment | 7 • 35 supplemental controls to ISO 27001 Annex A – All domains but Information Security Aspects of Business Continuity – A5 (1), A6 (2), A7 (1), A8 (2), A9 (7), A10 (2), A11 (1), A12 (6), A13 (1), A14 (2), A15 (2), A16 (3), A18 (5) 27017 Depth – Supplemental Controls
  8. 8. Locking Up Your Cloud Environment | 8 • 7 extended controls (27017 Annex A) – Covers domains A6, A8, A9, A12, and A13 – Act as additional control to complement that of Annex A 27017 Depth – Extended Controls
  9. 9. Locking Up Your Cloud Environment | 9 27017 – How Unique? • Not very unique • Most CSPs are already designed to meet 27017 • Supplemental Control Example • Extended control
  10. 10. Locking Up Your Cloud Environment | 10 ISO 27018 Overview
  11. 11. Locking Up Your Cloud Environment | 11 • Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors • Issued August 1, 2014 • Commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. • Supplement to ISO 27002 for public cloud providers ISO 27018 Overview
  12. 12. Locking Up Your Cloud Environment | 12 • Alignment to ISO 27001 Annex A / ISO 27002 • Public cloud PII protection control implementation guidance • Not intended to be a unique control set – e.g. A6.1.2 – segregation of duties • Recommendations not Requirements – Should v Shall 27018 Design
  13. 13. Locking Up Your Cloud Environment | 13 • 14 supplemental controls to ISO 27001 Annex A – All domains but Asset Management; System Acquisition, Development, and Maintenance; Supplier Relationships; and Information Security Aspects of Business Continuity Management – A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4), A13 (1), A16 (1), A18 (1) 27018 Depth – Supplemental Controls
  14. 14. Locking Up Your Cloud Environment | 14 • 25 extended controls (based on 11 privacy principles of ISO/IEC 29100) – Covers: • Consent and Choice; Purpose legitimacy and specification; Data minimization; Use, retention and disclosure limitation; Openness, transparency and notice; Accountability; Information security; and Privacy compliance – Act as additional control to complement that of Annex A 27017 Depth – Extended Controls
  15. 15. Locking Up Your Cloud Environment | 15 • More unique than 27017 • Incorporation of privacy principles • Supplemental Control Example – A11.2.7– Secure disposal or re-use of equipment – Equipment containing storage media that may possibly contain PII should be treated as though it does • Extended control – A.4 – Data Minimization – Temporary files and documents should be erased or destroyed within a specified, documented period 27017 – How Unique?
  16. 16. Locking Up Your Cloud Environment | 16 ISO 27017 and ISO 27018 Application
  17. 17. Locking Up Your Cloud Environment | 17 • Modify the scope statement as applicable • Ensure appropriate inclusion through identification of: – Internal and external issues – Needs and expectations of interested parties – Interfaces and dependencies performed by the organization and those performed by other organization Design – Scope (Clause 4)
  18. 18. Locking Up Your Cloud Environment | 18 • Identification of supplemental and extended controls through the risk assessment process • Controls should be necessary to mitigate risk applicable to scope • Apply appropriate treatment if necessary Design – Risk Assessment (Clause 6)
  19. 19. Locking Up Your Cloud Environment | 19 • Incorporate supplemental / extended controls into the SOA • Justification of inclusion / exclusion still apply (for entire related standard) • Determine if the supplemental / extended control is in place Design – Statement of Applicability (Clause 6)
  20. 20. Locking Up Your Cloud Environment | 20 • Modify the information security objectives as appropriate • Ensure to measure any modification to the information security objectives Design – Objectives (Clause 6)
  21. 21. Locking Up Your Cloud Environment | 21 • Measure key supplemental / extended controls to ensure effectiveness • Ensure appropriate and proper criteria is applied • Include relevant personnel Monitoring – Measurement (Clause 9.1)
  22. 22. Locking Up Your Cloud Environment | 22 • Incorporation into audit plan / program • Assessment of results • Planned remediation Monitoring – Internal Audit (Clause 9.2)
  23. 23. Locking Up Your Cloud Environment | 23 ISO 27017 and ISO 27018 Audit Approach
  24. 24. Locking Up Your Cloud Environment | 24 • Stage 2 incorporation of 27017 and/or 27018 • Statement of applicability acts as a audit road map Initial Certification
  25. 25. Locking Up Your Cloud Environment | 25 • Perform regular maintenance review to ensure continued conformance and operating effectiveness of the ISMS • Apply heavier focus on inclusion of ISO 27017 and/or ISO 27018 Surveillance / Recertification
  26. 26. Locking Up Your Cloud Environment | 26 • Specifically focus on inclusion of ISO 27017 and/or ISO 27018 • Assess relevant elements of ISMS and supplemental / extended controls Scope Expansion
  27. 27. Locking Up Your Cloud Environment | 27 • Included as a part of the scope statement, related to SOA based on ISO 27017 and/or ISO 27018 • Available on certificate directory • No unique mark or certificate issued for ISO 27017 and/or ISO 27018 (i.e. unaccredited certificates) Inclusion on Certificate
  28. 28. Locking Up Your Cloud Environment | 28 Market Acceptance of ISO 27017 and ISO 27018
  29. 29. Locking Up Your Cloud Environment | 29 • Relatively new • Market adoption driven by customers and/or competitors • General cloud application v. CSA STAR Program ISO 27017
  30. 30. Locking Up Your Cloud Environment | 30 • Greater acceptance • Withdrawal of Safe Harbor • Greater interest in privacy and security, specifically for cloud services ISO 27018
  31. 31. Locking Up Your Cloud Environment | 31 Thank You

×