Cloud risk assessment and ISO 27000 standards

How do you measure the trustworthiness of a cloud service provider? The ISO 27000 security series can help.

This tip is a part of the SearchCloudSecurity.com learning guide, Cloud computing risk management: Assessing key...

risks of cloud computing.

Do you trust an external third party with your sensitive data?  This is the primary concern for companies that are joining the gold rush that is cloud computing. Never has there been a more important role for information security professionals to play than advising management on how to gain  “trust” when outsourcing their IT infrastructure to cloud providers.  Is there a good measuring stick for proving  a cloud provider is trustworthy? Many cloud providers tout their SAS 70 Type II certification, but one of the best tools to help with cloud risk assessment is the ISO 27000 series of standards.

SAS 70 comparison

The SAS 70 Type II has long been the standard of choice for evaluating external IT operations. This standard was originally developed by financial auditors in order to evaluate the impact of outsourcing certain business operations to third-party providers. The SAS 70 Type I was designed to evaluate that controls existed to protect both the confidentiality and operational stability of an external provider.  The SAS 70 Type II was developed to evaluate the existence and the effectiveness of controls in place at an external provider. Although this was preferable to the Type I, which did not test any controls, it was only as effective as the comprehensiveness of the controls being audited. In any SAS 70 audit, the provider can determine which controls will be tested;  an unscrupulous cloud services provider could only test controls it knows could pass an auditor’s testing methodology.

The ISO 27000 standards

The ISO 27000 series of standards had a much different origin than the SAS 70 Type II standards.  Whereas the SAS 70 has its roots in accounting and financial audits, ISO 27000 started from the ground up as an information security evaluation standard.  The SAS 70 was developed and maintained by the American Institute of Certified Public Accountants (AICPA) and has been modified to be used as an information security evaluation criteria.  The ISO 27000 standards originated as information security evaluation criteria that was developed by the U.K. government and is now maintained by the International Standards Organization.  This is a key differentiator when choosing a standard for evaluating cloud services providers.

The ISO 27000 standards define a detailed listing of controls, processes and procedures that must be followed in order to successfully complete an audit.  These standards may look familiar, as the predecessors to ISO 27000 were the models for U.S. laws to regulate information security in various industries, including  HIPAA and GLBA.  This makes the task of creating a crosswalk between these compliance regulations and ISO 27000 relatively simple.  This crosswalk reduces the burden on a cloud provider that’s trying to comply with multiple local, national and international compliance mandates.  The output of an ISO 27000 audit could even be adapted to generate the documentation necessary for a successful SAS 70 Type II. 

Although ISO 27000 was originally intended to evaluate internal technology resources, these detailed controls, processes and procedures apply equally well to cloud service providers.  A company may not need to possess the information security skillsets internally to receive value from ISO 27000 certification.  Management could simply look for the ISO 27000 certification from a prospective vendor and have some assurance that an information security program exists.  This makes ISO 27000 one of the best available prepackaged standards for evaluating cloud services.

No substitute for due diligence

However, the ISO 27000 standards are not a substitute for developing a custom due diligence process for evaluating cloud providers in your cloud risk assessment.  Companies shouldn’t make the mistake of assuming any certification or audit standard is simply “good enough” to validate prospective cloud solutions.  All audits and certification specifications, such as the ISO 27000 series, are general in nature and only provide a snapshot in time of information security program capabilities.  There may be data that is more sensitive in nature or business processes that requires more specific security precautions.  It’s also important to evaluate the current state of the cloud provider’s information security program and whether it’s being maintained at the same level as when certification was obtained. 

The ISO 27000 standards are the best prepackaged standards available today for evaluating the security programs of cloud service providers.   The information security professional can look for this certification and also utilize it as a foundation to build a custom due diligence assessment.  The ISO 27000 series evaluates many important aspects of an information security program, but should be used in conjunction with a custom due diligence process in alignment with a risk assessment of the data or processes being placed in the cloud.  There is no one single indicator that can determine whether the company’s data will be secure in the cloud, but the ISO 27000 series is a good start. 

About the author:

Joseph Granneman, CISSP, has over 20 years in information technology and security with experience in both healthcare and financial services.  He has been involved in the Health Information Security and Privacy Working Group for Illinois, the Certification Commission for Health Information Technology (CCHIT) Security Working Group, and is an active InfraGard member.


Dig Deeper on Evaluating Cloud Computing Providers