ISO, the International Organization for Standardization
ISO is a not-for-profit organization with 167 members, representing virtually all countries. Its aim is to develop international standards and hope to provide answers to global issues.
To better understand this blog, we have to explain what is an “International Standard”?:
"An International Standard is a document that provides concrete information and best practices. It often describes an agreed way of proceeding, or a solution to a global problem.".
ISO 27000 , information security management
Of all the ISO standards, the one we are interested in today is the 27000 family: it ensures the security of sensitive information in organizations. Compliance with and implementation of the ISO 27000 family of standards makes it easier to manage the security of assets such as financial information, intellectual property, employee data and information entrusted by third parties…
ISO 27001, the best-known standard
ISO 27001 is probably the best-known ISO standard. It is a globally recognized standard for information security management. In other words, it provides companies with a guide to protecting the data they possess or handle.
To meet this standard, companies must follow a "Plan-Do-Check-Act" cycle (PDCA), and implement a comprehensive strategy to ensure the security of the data they handle. It must also follow a policy with procedures and controls adapted to its organization, called "Information Security Management System". It's a global approach, not just limited to cybersecurity.
Overall, the company must demonstrate its willingness and the actions it is taking to protect sensitive data in accordance with the 3 principles of ISO 27001:
- Integrity (of information),
- Availability (of data).
To be more precise, ISO 27001 is a standard: it defines the specific frameworks and practical guides that a company must implement to obtain certification. Certification is awarded following an audit by an independent body. A company may decide not to go through the certification process.
These standards are regularly updated to keep pace with increasingly sophisticated cyber-attacks.
ISO 27017 and ISO 27018, security in the cloud
The last decade has brought many changes in data storage and transit, and the advent of the cloud is no longer in question. However, these evolutions, which have seen the emergence of cloud computing, imply new security rules.
In the case of ISO 27017 and 27018, security is essentially concerned with Personally Identifiable Information (PII) in cloud computing.
ISO 27017: Protecting information in the cloud
As the cloud becomes more widespread, users are demanding guarantees about the security of data storage and processing in the cloud. The market for cloud services is characterized by the dispersal of suppliers around the world, and by the regular transfer of data from one country to another. It is therefore essential to be able to rely on international guidelines.
According to Satoru Yamasaki, one of the editors who worked on the standard, "ISO/IEC 27017 will help service providers find common ground with their customers on the adequacy of security controls and their implementation recommendations. This International Standard for Cloud Security Controls will facilitate the development and expansion of more secure cloud computing systems".
ISO 27018: Protecting personal data in the cloud
ISO 27018 applies to any type of entity, whether public or private, from the moment it offers information processing services via cloud computing under contract to other organizations.
Published in 2014, ISO/IEC 27018 is the first International Standard to focus on the protection of personal data in the cloud.
ISO/IEC 27018, a pioneering standard in the field of personal data protection in the cloud, has various objectives:
- Help cloud service providers who process personal data to meet applicable legal obligations, as well as customer expectations
- Ensure transparency, so that customers can choose well-managed cloud services
- Make it easier to draw up contracts for cloud services
- Provide cloud customers with a mechanism to ensure that cloud providers comply with legal and other requirements.
To sum up, ISO/IEC 27018 provides a concrete reference for establishing trust in this market. At the same time, it gives the public cloud industry a clear direction for addressing some of its customers' legal and regulatory concerns.