Last Updated on November 20, 2018
With the exponential growth of cloud computing, organizations of all sizes need to understand their risks around storing sensitive data in the cloud, as well as investigate and implement cloud security options. To support this effort, several specialized cloud security standards are available.
Two of these standards have risen to prominence worldwide: ISO 27017 and CSA STAR. This post compares these leading standards, including the use cases each is intended to address.
The Cloud Security Alliance, Security Trust and Assurance Registry (CSA STAR) is a “program” that encompasses three levels of assurance (self-assessment, third-party certification and continuous auditing) and is specifically geared toward supporting and evaluating cloud service providers (CSPs). The CSA STAR program is based on the following guidelines:
- The CSA Cloud Controls Matrix (CCM), a “meta-framework” of cloud-specific security controls mapped to ISO 27001, PCI/DSS, HIPAA, COBIT and other standards. It is intended to provide “a de-facto standard for cloud security assurance and compliance” that can guide CSPs in optimizing their security posture, as well as help companies assess a CSP’s security posture.
- The Consensus Assessments Initiative Questionnaire, a set of yes/no questions that a prospective customer or auditor can ask cloud providers to gauge their alignment with the Cloud Controls Matrix.
- The CSA Code of Conduct for GDPR Compliance, a tool to help CSPs comply with the GDPR.
Leveraging these resources, CSPs can self-assess and publicly document their security controls, and/or gain CSA STAR certification based on a rigorous, third-party assessment that encompasses both CCM and ISO 27001 requirements. An option for CSPs to continuously publish data about their security practices is “under development.”
ISO 27017:2015 is a descriptively named Code of practice for information security controls based on ISO/IEC 27002 for cloud services. Building on the controls defined in ISO 27001 and described in more detail in ISO 27002, this framework adds additional controls and implementation guidance specifically to help businesses securely provision and use cloud services to protect information that is stored and/or processed in the cloud.
Sections in ISO 27001 where the most cloud-specific guidance is added include:
- 9. Access control
- 12. Operations security
- 13. Communications security
- 15. Supplier relationships
- 18. Compliance
Meeting an industry-wide need, ISO 27017 addresses the respective roles and responsibilities of CSPs and their customers around cloud security. It clarifies who is responsible for what controls, how to securely remove/return information assets upon contract termination, separation, and protection of customers’ cloud environments, monitoring of customers’ activity in the cloud, and more.
Even more so than CSA STAR, ISO 27017 offers guidance to both CSPs and cloud consumers. Cloud consumers can use it to develop the cloud-specific controls within their information security management system (ISMS), while CSPs can use it as guidance for implementing security controls.
ISO 27017 is not a management standard in and of itself, but rather a “code of practice.” However, certification bodies can issue what amounts to a “statement of compliance” with ISO 27017 in the context of a broader ISO 27001 certification audit. In other words, to achieve ISO 27017 “certification” companies (including CSPs) need to achieve ISO 27001 certification, either initially or in parallel.
Which standard is right for your situation?
ISO 27017 provides value to businesses moving data to the cloud and/or sharing data in the cloud, including CSPs. CSA STAR is a bit more comprehensive and is targeted at CSP’s.
Cloud consumers will find greater value in 27017. CSP’s will find value in both 27017 and CSA STAR, with ISO 27017 being a good interim point on the way to CSA STAR if that is the longer-term goal. As 27017 and CSA STAR largely cover the same ground and you can achieve both without significantly greater effort and cost.
An attestation of compliance with either standard will help businesses build trust with customers and other stakeholders, demonstrate competitive advantage, protect their brand/reputation, comply with regulations like the GDPR or [California’s new CCPA] and—most importantly—secure the data they’re charged with protecting.
To benefit from expert advice on how your organization can best achieve an information security attestation, or strategically evaluate its cloud security posture, contact Pivot Point Security.
- The CSA’s mapping of ISO 27002/27017/27018 controls to its Cloud Controls Matrix
- An overview of ISO 27018, the “sister” standard to ISO 27017 that encompasses security controls to ensure privacy and the protection of personally identifiable information (PII).
- 5 top InfoSec accreditations for SaaS providers