February 9, 2024

Last Updated on February 23, 2024

ISO 27001 is the leading international standard for independently attested cybersecurity certification. It focuses on developing, operationalizing, maintaining, and continuously improving an information security management system (ISMS). ISO 27001 is not prescriptive or “one size fits all.” Instead, it empowers each organization to align its information security program with its unique risk profile and business goals.

When it comes to cloud service delivery, ISO 27001 gives cloud service providers (CSPs) a comprehensive foundation to prove they are secure and compliant with customer and regulatory requirements. To certify a cloud service as ISO 27001 compliant, a CSP must implement an ISMS that covers all aspects of the service—the software, the associated data, and the supporting infrastructure.

Many of the leading public cloud services, including Amazon Web Services and Microsoft Azure, hold ISO 27001:2022 certifications. This post explains how CSPs can benefit from ISO 27001 accreditation.


What ISO 27001:2022 controls are most important for CSPs?

A wide range of ISO 27001 recommended controls impact CSPs, including those related to:

  • Risk assessment
  • Privacy and data protection
  • Authentication and access control
  • Business continuity and incident response
  • Monitoring and compliance

A new control in ISO 27001:2022 Annex A is Control 5.23, Information Security for Use of Cloud Services.

Annex A Control 5.23 is a preventive control. It overviews best practices for “cloud services customers” that are onboarding, using, and/or exiting from cloud services.

Compliance with Annex A Control 5.23 should be approached as a collaboration between the customer and the CSPs they work with. It is important for CSPs to clearly understand, articulate, and contractually define their role in supporting customers’ Annex A Control 5.23 compliance or other best-practice security controls.


What is the ISO 27017 cybersecurity standard for CSPs?

ISO 27001, “Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services,” is an international security standard developed specifically for CSPs.

Part of the ISO 27000 family of standards, ISO 27017 extends ISO 27001 to help both CSPs and their customers reduce cloud-based cybersecurity risk.

ISO 27017 defines 7 additional controls beyond the ISO 27001 foundation. These controls focus on:

  1. Shared responsibility and individual responsibilities between the CSP and the cloud customer for overall cybersecurity
  2. Best-practice administrative and operational procedures for CSPs
  3. Protection of customers’ cloud environments within the cloud service infrastructure
  4. Monitoring of customer activity
  5. Return or deletion of cloud-based customer assets when a contract ends
  6. Best-practice virtual machine (VM) configuration
  7. Relationships among cloud-based and physical networks

Besides the 7 CSP-specific controls, ISO 27017 also provides further implementation guidance for CSPs regarding 37 of the most relevant ISO 27001 controls.


What is CSA STAR and how does it add value to ISO 27001 certification?

Like ISO 27017, the Cloud Security Alliance Security, Trust, Assurance and Risk program (CSA STAR) is a complementary framework that defines CSP-specific controls on top of an ISO 27001 foundation:

  • For CSPs, an ISO 27001 certification alone shows stakeholders that the ISMS encompassing your cloud environment is robust.
  • Adding a CSA STAR certification on top of ISO 27001 further demonstrates that a CSP has strong security around its cloud services.

A CSA STAR certification requires an ISO 27001 certification as a prerequisite. Like ISO 27001, CSA STAR certification requires a demanding third-party audit.

A CSP that attests to both ISO 27001 and CSA STAR compliance demonstrates a higher cybersecurity level that differentiates them from competitors. STAR also includes a registry to help pair cloud customers with secure CSPs.


What’s next?

CSPs frequently need to meet stringent security and compliance requirements to assure clients and regulators that they can protect sensitive data. CBIZ Pivot Point Security has worked with well over 100 SaaS firms to help them define and achieve their information security objectives.

For a full range of services to help CSPs identify and mitigate risks within your SaaS infrastructure while strategically enhancing your complete security posture, contact us.