Beyond 27001: Why ISO 27017, 27018, and 27036 Matter More Than You Think

The ISO 27017 standard, which was published in 2015, provides guidelines for information security controls in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27017 standard are to: 

• Provide a common framework for evaluating and implementing information security controls in the cloud 
• Help organizations to ensure that their cloud services are secure, and that sensitive data is protected 
• Provide guidance on implementing the security controls specified in the ISO 27001 standard in a cloud environment 

The scope of the ISO 27017 standard includes the following: 

• Information security controls applicable to cloud services 
• The use of cloud services in an organization's information security management system (ISMS) 
• The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

The ISO 27018 standard, which was published in 2014, provides guidelines for protecting personal data in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27018 standard are to: 

• Provide guidance on protecting personal data in the cloud 
• Help organizations to comply with privacy laws and regulations 
• Provide a common framework for evaluating and implementing privacy controls in the cloud 

The scope of the ISO 27018 standard includes the following: 

• Privacy controls applicable to cloud services 
• The use of cloud services in an organization's privacy management system 
• The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

The ISO 27036 standard, which was published in 2016, provides guidelines for securing the supply chain in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27036 standard are to: 

• Provide a common framework for evaluating and implementing supply chain security controls in the cloud 
• Help organizations to ensure that their cloud services are secure and that sensitive data is protected 
• Provide guidance on implementing the security controls specified in the ISO 27001 standard in a supply chain context 

The scope of the ISO 27036 standard includes the following: 

• Supply chain security controls applicable to cloud services 
• The use of cloud services in an organization's supply chain security management system 
• The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

In summary, the ISO 27017, ISO 27018, and ISO 27036 standards provide guidelines and best practices for information security management in the cloud. These standards address specific security issues related to cloud computing, privacy protection, and supply chain security, respectively. By implementing the controls specified in these standards, organizations can ensure that their cloud services are secure, and that sensitive data is protected.