Relationship to ISO 27001 and 27002
Overview
ISO 27017 does not exist in isolation. It is designed to work in conjunction with ISO 27001 (Information Security Management Systems) and ISO 27002 (Code of Practice for Information Security Controls). Understanding these relationships is crucial for effective implementation and potential certification.
Learning Objectives
By the end of this lesson, you will be able to:
- Understand how ISO 27017 relates to ISO 27001 and 27002
- Map ISO 27017 controls to ISO 27002 controls
- Integrate ISO 27017 into an ISO 27001 ISMS
- Understand certification possibilities with ISO 27017
- Plan an integrated implementation approach
- Leverage existing ISO 27001/27002 implementations for cloud security
The ISO 27000 Family
Standards Hierarchy
┌──────────────────────────────────────────────┐
│ ISO/IEC 27000 - Vocabulary and Definitions │
└──────────────┬───────────────────────────────┘
│
┌────────┴────────┐
│ │
┌─────▼─────────┐ ┌───▼────────────────────┐
│ ISO/IEC 27001 │ │ ISO/IEC 27002 │
│ ISMS Reqts │ │ Security Controls │
│ (Certifiable) │ │ (Code of Practice) │
└─────┬─────────┘ └───┬────────────────────┘
│ │
│ ┌───────────┴────────────┐
│ │ │
┌─────▼────▼──────┐ ┌──────▼─────────────┐
│ ISO/IEC 27017 │ │ Other sector- │
│ Cloud Security │ │ specific standards │
│ Code of Practice│ │ (27018, 27701...) │
└─────────────────┘ └────────────────────┘
Overview of Related Standards
| Standard | Type | Purpose | Certification |
|---|---|---|---|
| ISO 27000 | Vocabulary | Definitions and overview | No |
| ISO 27001 | Requirements | ISMS specification | Yes |
| ISO 27002 | Code of Practice | Control implementation guidance | No |
| ISO 27017 | Code of Practice | Cloud-specific controls | No (standalone) |
| ISO 27018 | Code of Practice | Cloud PII protection | No (standalone) |
| ISO 27701 | Extension | Privacy Information Management | Yes (with 27001) |
ISO 27001: The Management System
What is ISO 27001?
ISO 27001 is the international standard for Information Security Management Systems (ISMS). It specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS.
Key Components of ISO 27001
1. Context of the Organization (Clause 4)
- Understanding the organization and its context
- Understanding needs and expectations of interested parties
- Determining scope of the ISMS
- Establishing the ISMS
2. Leadership (Clause 5)
- Management commitment
- Information security policy
- Organizational roles, responsibilities, and authorities
3. Planning (Clause 6)
- Risk assessment and treatment
- Information security objectives and planning
4. Support (Clause 7)
- Resources
- Competence
- Awareness
- Communication
- Documented information
5. Operation (Clause 8)
- Operational planning and control
- Information security risk assessment
- Information security risk treatment
6. Performance Evaluation (Clause 9)
- Monitoring, measurement, analysis, and evaluation
- Internal audit
- Management review
7. Improvement (Clause 10)
- Nonconformity and corrective action
- Continual improvement
ISO 27001 Annex A Controls
ISO 27001 Annex A lists 93 controls organized into 4 themes (2022 version):
| Theme | Number of Controls | Purpose |
|---|---|---|
| Organizational Controls | 37 | Management, policies, HR, suppliers |
| People Controls | 8 | Before, during, and after employment |
| Physical Controls | 14 | Physical security |
| Technological Controls | 34 | Technical security controls |
Note: The 2022 version restructured controls from the previous 14 domains to 4 themes.
ISO 27002: The Code of Practice
What is ISO 27002?
ISO 27002 provides detailed guidance on implementing the controls listed in ISO 27001 Annex A. It is a best practice guide, not a certifiable standard.
ISO 27002 Structure (2022)
Each control in ISO 27002 includes:
- Control: What needs to be implemented
- Purpose: Why the control is important
- Guidance: How to implement the control
- Other Information: Additional context and considerations
Example ISO 27002 Control
A.8.1 - User endpoint devices
Control Type: Technological Control: Information stored on, processed by or accessible via user endpoint devices shall be protected.
Purpose: To prevent unauthorized disclosure, modification, removal or destruction of information stored on user endpoint devices.
Guidance: Includes protection of:
- Laptops, tablets, mobile phones
- Removable media
- Information in transit
- Remote working scenarios
ISO 27017: Cloud-Specific Guidance
What is ISO 27017?
ISO 27017 is a code of practice that:
- Provides additional implementation guidance for relevant ISO 27002 controls when applied to cloud services
- Introduces new cloud-specific controls not covered in ISO 27002
Structure of ISO 27017
ISO 27017 controls are categorized as:
Type 1: Cloud-Enhanced Controls
- Controls from ISO 27002 with additional cloud-specific implementation guidance
- Designated with original control number (e.g., A.9.4.1)
Type 2: Cloud-Specific Controls
- New controls unique to cloud computing
- Designated with "CLD" prefix (e.g., CLD.6.3.1)
Cloud-Specific Controls in ISO 27017
| Control | Title | Applies To |
|---|---|---|
| CLD.6.3.1 | Virtual machine hardening | CSP, CSC (IaaS/PaaS) |
| CLD.6.3.2 | Protection of virtual machine images | CSP, CSC (IaaS/PaaS) |
| CLD.8.1.5 | Removal/return of cloud service customer assets | CSP |
| CLD.9.5.1 | Cloud service customer monitoring of cloud service activity | CSC |
| CLD.9.5.2 | Virtual network environment protection | CSP, CSC |
| CLD.12.1.5 | Administrative operations and procedures for cloud computing environment | CSP, CSC |
| CLD.12.4.5 | Monitoring of cloud services | CSC |
| CLD.13.1.4 | Securing cloud service user management interfaces | CSP |
Relationship Mapping
How ISO 27017 Extends ISO 27002
Example 1: Access Control
ISO 27002 Control A.9.4.1 - Information Access Restriction
- General: Restrict access to information and application system functions
ISO 27017 Additional Guidance for Cloud:
- For CSPs: Implement mechanisms to isolate customer data and processing
- For CSCs: Configure access controls appropriately within cloud services
- Cloud-specific considerations: Multi-tenancy, virtualized environments, APIs
Example 2: Cryptography
ISO 27002 Control A.10.1.1 - Policy on Use of Cryptographic Controls
- General: Develop and implement policy on cryptographic controls
ISO 27017 Additional Guidance for Cloud:
- For CSPs:
- Provide encryption capabilities
- Support customer-managed encryption keys
- Ensure encryption doesn't compromise isolation
- For CSCs:
- Understand what data is encrypted by provider
- Implement additional encryption where needed
- Manage encryption keys appropriately
Control Mapping Matrix
| ISO 27002/27001 | ISO 27017 Cloud Enhancement | New Cloud Control |
|---|---|---|
| A.9.4.1 - Access restriction | Additional guidance on cloud access | - |
| A.10.1.1 - Cryptography policy | Cloud encryption guidance | - |
| A.12.1.3 - Capacity management | Cloud resource management | - |
| - | - | CLD.6.3.1 - VM hardening |
| - | - | CLD.9.5.1 - Cloud monitoring |
| A.13.1.1 - Network controls | Cloud network guidance | CLD.9.5.2 - Virtual network protection |
Complete Mapping Example
ISO 27002 Domain: Access Control
| ISO 27002 Control | Cloud Applicable? | ISO 27017 Enhancement | Cloud-Specific Control |
|---|---|---|---|
| A.9.1.1 - Access control policy | Yes | Guidance on shared responsibility | - |
| A.9.1.2 - Access to networks | Yes | Cloud network access guidance | - |
| A.9.2.1 - User registration | Yes | Cloud user provisioning | - |
| A.9.2.2 - User access provisioning | Yes | CSP/CSC provisioning roles | - |
| A.9.4.1 - Access restriction | Yes | Multi-tenant considerations | - |
| - | - | - | CLD.9.5.1 - Cloud monitoring |
Integration with ISO 27001 ISMS
Approach 1: Cloud-Enhanced ISMS
For organizations with existing ISO 27001 certification adding cloud services:
Step 1: Scope Expansion
- Review current ISMS scope
- Add cloud services to scope
- Identify cloud-specific risks
Step 2: Risk Assessment Update
- Assess cloud-specific risks
- Apply ISO 27017 guidance
- Update risk treatment plan
Step 3: Control Enhancement
- Review existing Annex A controls
- Apply ISO 27017 cloud guidance
- Implement cloud-specific controls where applicable
Step 4: Documentation Update
- Update information security policy
- Enhance procedures for cloud
- Document cloud-specific controls
Step 5: Certification Maintenance
- Surveillance audit includes cloud scope
- Demonstrate ISO 27017 implementation
- Maintain combined certification
Approach 2: Cloud-First ISMS
For organizations implementing ISO 27001 primarily for cloud:
Step 1: ISMS Framework
- Establish ISMS according to ISO 27001
- Define scope including cloud services
- Establish context of organization
Step 2: Integrated Risk Assessment
- Conduct risk assessment with cloud focus
- Use ISO 27017 as primary control reference
- Consider ISO 27002 for non-cloud aspects
Step 3: Statement of Applicability (SOA)
- Select Annex A controls
- Apply ISO 27017 guidance
- Justify exclusions
Step 4: Implementation
- Implement controls per ISO 27017
- Document cloud-specific procedures
- Train personnel on cloud security
Step 5: Certification
- Pursue ISO 27001 certification
- Reference ISO 27017 implementation
- Demonstrate cloud control effectiveness
ISMS Documentation for Cloud
Required ISO 27001 Documents with Cloud Considerations:
| Document | Cloud-Specific Enhancements |
|---|---|
| Information Security Policy | Cloud security principles, shared responsibility |
| Risk Assessment Methodology | Cloud risk factors, multi-tenancy risks |
| Risk Treatment Plan | Cloud controls from ISO 27017 |
| Statement of Applicability | ISO 27017 controls referenced |
| Access Control Policy | Cloud access models, federation |
| Asset Inventory | Cloud services, virtual assets |
| Incident Response Plan | CSP notification, cloud incident procedures |
| Business Continuity Plan | Cloud provider dependencies, data portability |
| Supplier Management | Cloud provider assessments, SLAs |
Certification Considerations
ISO 27001 Certification with ISO 27017
Current Practice:
- ISO 27017 is not independently certifiable
- Organizations get ISO 27001 certification
- Can reference ISO 27017 compliance in scope
Certification Statement Example:
"XYZ Corporation has achieved ISO/IEC 27001:2022
certification for its Information Security Management
System, with cloud security controls implemented in
accordance with ISO/IEC 27017:2015."
Scope: Provision of cloud-based customer relationship
management (CRM) services.
Audit Approach
Stage 1 Audit (Documentation Review):
- Review ISMS documentation
- Verify ISO 27017 controls in SOA
- Assess cloud risk assessment
- Review cloud-specific procedures
Stage 2 Audit (Implementation Assessment):
- Verify control implementation
- Test cloud-specific controls
- Review cloud provider agreements
- Assess monitoring effectiveness
- Interview cloud security personnel
Surveillance Audits:
- Ongoing compliance verification
- Cloud security incident reviews
- Changes to cloud services
- SOA updates for new cloud controls
Benefits of Combined Certification
| Benefit | Description |
|---|---|
| Market Differentiation | Demonstrates cloud security expertise |
| Customer Confidence | Assurance for cloud service customers |
| Regulatory Advantage | Supports compliance requirements |
| Operational Excellence | Structured approach to cloud security |
| Risk Management | Comprehensive cloud risk framework |
Implementation Roadmap
Phase 1: Assessment (Months 1-2)
If No Existing ISMS:
- Conduct gap analysis against ISO 27001
- Assess cloud services in scope
- Identify applicable ISO 27017 controls
- Assess current security maturity
- Define ISMS scope
If Existing ISO 27001:
- Review current ISMS scope
- Identify cloud services to add
- Gap analysis for ISO 27017
- Update risk assessment for cloud
Phase 2: Planning (Month 3)
- Define information security policy updates
- Conduct cloud risk assessment
- Develop risk treatment plan
- Create Statement of Applicability (ISO 27017 controls)
- Define roles and responsibilities
- Develop implementation project plan
- Secure budget and resources
Phase 3: Implementation (Months 4-9)
ISMS Foundation (if new):
- Establish ISMS framework
- Develop core policies and procedures
- Implement basic controls
Cloud-Specific Implementation:
- Implement ISO 27017 cloud controls
- Update cloud provider agreements
- Deploy cloud security tools (CASB, CSPM, etc.)
- Implement monitoring and logging
- Conduct security awareness training
- Document procedures and work instructions
Phase 4: Validation (Months 10-11)
- Internal audit of ISMS
- Test cloud security controls
- Review incident response procedures
- Management review
- Address nonconformities
- Update documentation
Phase 5: Certification (Month 12)
- Select certification body
- Schedule Stage 1 audit
- Address Stage 1 findings
- Schedule Stage 2 audit
- Address Stage 2 findings
- Achieve certification
- Plan surveillance audits
Ongoing: Maintenance and Improvement
- Quarterly management reviews
- Continuous monitoring
- Regular risk assessments
- Annual internal audits
- Surveillance audits (typically annual)
- Continual improvement initiatives
Practical Example: Integrated Implementation
Scenario: SaaS Provider Implementing ISO 27001 with ISO 27017
Company: CloudCRM Inc., providing cloud-based CRM services Goal: ISO 27001 certification with ISO 27017 implementation
Step 1: Define Scope
ISMS Scope:
"The provision, development, and support of cloud-based
customer relationship management software delivered as
a service (SaaS) to enterprise customers."
Includes:
- Application development and maintenance
- Cloud infrastructure (AWS)
- Customer data processing
- Customer support operations
Excludes:
- Corporate IT (office networks, endpoints)
- Marketing operations
Step 2: Risk Assessment
Sample risks identified:
| Risk | Likelihood | Impact | ISO 27017 Controls |
|---|---|---|---|
| Unauthorized access to customer data | Medium | Critical | A.9.2.1, A.9.4.1, CLD.9.5.1 |
| Data loss | Low | Critical | A.12.3.1, A.17.1.1 |
| Multi-tenant data bleed | Low | Critical | A.9.4.4, CLD.6.3.1 |
| AWS service disruption | Medium | High | A.17.1.1, A.17.2.1 |
| API vulnerability exploitation | Medium | High | A.14.1.2, A.14.2.1 |
Step 3: Statement of Applicability
Excerpt from SOA:
| Control | Applicable | Implementation | ISO 27017 Guidance Used |
|---|---|---|---|
| A.9.2.1 - User registration | Yes | SCIM-based user provisioning | Cloud user lifecycle |
| A.10.1.1 - Cryptography | Yes | TLS 1.3, AES-256 encryption at rest | Cloud encryption guidance |
| CLD.9.5.1 - Cloud monitoring | Yes | CloudWatch, SIEM integration | Cloud-specific control |
| A.15.1.2 - Supplier agreements | Yes | AWS BAA, SLA monitoring | CSP agreement requirements |
Step 4: Implementation Highlights
Cloud-Specific Controls Implemented:
- Virtual machine hardening (CLD.6.3.1) - Minimal OS images, automated patching
- Cloud service monitoring (CLD.9.5.1) - Real-time dashboards, automated alerts
- Virtual network protection (CLD.9.5.2) - VPC isolation, security groups, NACLs
ISO 27002 Controls with Cloud Enhancement:
- A.12.1.3 (Capacity management) - Auto-scaling policies, capacity alerts
- A.13.1.1 (Network controls) - Cloud-native firewall, WAF
- A.16.1.1 (Incident response) - Integration with AWS security findings
Step 5: Audit and Certification
Stage 1 Findings:
- Minor: Incident response plan didn't include CSP notification procedures
- Minor: Cloud asset inventory incomplete
Corrective Actions:
- Updated incident response plan with AWS notification process
- Implemented automated cloud asset discovery tool
Stage 2 Result:
- Certification achieved
- Certificate scope references ISO 27017 implementation
Control Mapping Reference Table
Sample ISO 27002 to ISO 27017 Mapping
| Domain | ISO 27002 Control | ISO 27017 Enhancement | Applicability |
|---|---|---|---|
| Access Control | A.9.1.1 - Access control policy | Shared responsibility definition | CSP, CSC |
| A.9.2.1 - User registration | Cloud user lifecycle | CSP, CSC | |
| A.9.4.1 - Access restriction | Multi-tenant isolation | CSP, CSC | |
| Cryptography | A.10.1.1 - Crypto policy | Cloud encryption options | CSP, CSC |
| A.10.1.2 - Key management | Customer-managed keys | CSP, CSC | |
| Operations | A.12.1.3 - Capacity management | Cloud resource elasticity | CSP, CSC |
| A.12.3.1 - Backup | Cloud backup services | CSP, CSC | |
| A.12.4.1 - Event logging | Cloud logging services | CSP, CSC | |
| Communications | A.13.1.1 - Network controls | Virtual network security | CSP, CSC |
| A.13.1.3 - Segregation | Multi-tenant segregation | CSP | |
| Supplier Relations | A.15.1.1 - Supplier security | Cloud provider assessment | CSC |
| A.15.1.2 - Supplier agreements | Cloud SLA requirements | CSC | |
| Cloud-Specific | - | CLD.6.3.1 - VM hardening | CSP, CSC |
| - | CLD.9.5.1 - Cloud monitoring | CSC |
Key Takeaways
-
ISO 27017 extends ISO 27002 with cloud-specific guidance and new controls
-
ISO 27001 provides the ISMS framework within which ISO 27017 controls are implemented
-
ISO 27017 is not independently certifiable but can be referenced in ISO 27001 certification
-
Integration is straightforward - ISO 27017 controls map directly to ISO 27001 Annex A structure
-
Existing ISO 27001 organizations can expand scope to include cloud with ISO 27017 guidance
-
Cloud-first organizations can implement ISO 27001 using ISO 27017 as primary control reference
-
Documentation must reflect cloud aspects - policies, procedures, and SOA should reference ISO 27017
-
Certification audits will assess both ISO 27001 requirements and ISO 27017 control implementation
-
Implementation can be phased - start with high-risk areas and expand coverage
-
The standards work together - ISO 27001 (what), ISO 27002 (how), ISO 27017 (cloud-specific how)
Preparation for Next Lesson
In the next lesson, Module Assessment, you will:
- Test your understanding of Module 1 concepts
- Apply knowledge to practical scenarios
- Prepare for Module 2 on Cloud Service Provider Controls
Self-Assessment Questions
- What is the relationship between ISO 27001 and ISO 27017?
- Can an organization get ISO 27017 certification without ISO 27001?
- How does ISO 27017 enhance ISO 27002 controls?
- What are the two types of controls in ISO 27017?
- How many cloud-specific controls (CLD prefix) does ISO 27017 introduce?
- What is a Statement of Applicability (SOA)?
- How should cloud services be reflected in the ISMS scope?
- What is the difference between ISO 27002 and ISO 27017?
- How often are surveillance audits typically conducted?
- What are the main phases of implementing an integrated ISO 27001/27017 ISMS?
Practical Exercise
Exercise: Create a Statement of Applicability Extract
Scenario: You are implementing ISO 27001 for a company that uses:
- AWS IaaS for application hosting
- Microsoft 365 for productivity
- Salesforce for CRM
Task: Create an SOA extract for the Access Control domain that includes:
- Applicable ISO 27002 controls
- How ISO 27017 guidance is applied
- Implementation description for each
- Justification for any exclusions
Format:
| Control | Applicable (Y/N) | ISO 27017 Guidance | Implementation Summary |
|---|---|---|---|
| ... | ... | ... | ... |
This lesson has demonstrated how ISO 27017 integrates with ISO 27001 and 27002 to provide a comprehensive framework for cloud security. The next lesson will test your understanding of all Module 1 concepts.