In the last few weeks, we have had a few inquiries into ISO/IEC 27017:2015 (ISO 27017) from some of our existing ISO/IEC 27001:2013 certified clients. ISO 27017 is an extension of ISO 27001, specifically with additional control implementation guidance based on existing controls from ISO/IEC 27002:2013 (ISO 27002), the same found in Annex A of ISO 27001, as well as additional controls that are embedded within the existing control domains of ISO 27002. The ISO 27017 standard is designed to be utilized for cloud service providers as well as cloud customers to help ensure that for either role, proper controls and implementation guidance has been designed and applied related to the cloud service. As an unaccredited standard, meaning that accreditation bodies do not accredit to ISO 27017 as they do to ISO 27001, the objective is to include ISO 27017 within an existing information security management system (ISMS) as an additional control set within the organization's statement of applicability (SOA). The SOA is a result of the risk assessment process, based on the context of the organization and in accordance with the prescriptive ISO 27001 requirements, and is the foundation of the controls an organization has to have in place and operating effectively to mitigate their information security risk relevant to the scope of the ISMS. In proper application, the SOA is not only what drives the measurement and monitoring requirements of Clause 9.1 of ISO 27001, it is also the foundation of the internal audit scope and the external audit assessment. The result of effectively applying ISO 27017 into an ISMS would be an ISO 27001 certificate with a reference to ISO 27017 as an extension of the SOA.
Though most cloud providers, or organizations that offer their services through the cloud, likely have already considered and implemented the guidance and controls from ISO 27017, without knowing it, ISO 27017 is not as popular in the market, as ISO 27001 extension go as much as ISO/IEC 27018:2019 or ISO/IEC 27701:2019 are. So the recent inquiries were outside of the norm. It turns out that they were related to acting as a cloud service provider, or providing cloud-based services, to the Canadian government. The Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN), issued in 2017, provides the base requirements for any cloud provider or cloud service that may offer services to departments within the Canadian government. The SPIN outlines minimum third-party assurance to consider when using an outsourced cloud service provider, and these include ISO 27001, ISO 27017, ISO 27018, FedRAMP, PCI, CSA STAR, and SOC attestations.
Organizations that do, or plan to, provide cloud services to the Canadian government must demonstrate that they have the proper controls to ensure that Protected B information or assets are secured. Protected B applies to information or assets that, if compromised, could cause serious injury to an individual, organization, or government, per the Canadian government Levels of Security. A component of this demonstration process is a third-party assessment against the control implementation guidance and controls of ISO 27017, as it seems this is required to be listed on the Government of Canada Cloud Brokering Services as a service provider (for cloud or cloud services), of course after an application and evaluation process.
From the ISO practice director at Schellman, the Canadian government utilizing ISO 27017 as a benchmark for organizations providing cloud services or services via the cloud is commended. ISO 27017 includes comprehensive control implementation guidance, and additional controls, that are specific to all cloud service organizations, and anyone in this sector should include ISO 27017 in their compliance framework.