Encryption and Key Management in the Cloud: What ISO 27017 and ISO 27018 Recommend
Data at rest. Data in transit. Who holds the keys? The ISO cloud standards provide a clear framework.
Here is what decision-makers need to know about cryptographic controls in the cloud.
The Question Every Leader Asks
Behind it lies a more specific question: “Who can see our data, and how is it protected?”
The answer, in modern cloud environments, comes down to two things:
- Encryption — scrambling data so only authorized parties can read it
- Key management — controlling the “keys” that unscramble it
These are not just technical details. They are governance decisions that determine:
- Whether you can prove compliance to auditors
- Whether you can protect data from unauthorized access
- Whether you can confidently terminate a cloud contract and take your data with you
- Whether you sleep soundly after a cloud provider breach announcement
ISO 27017 (cloud security) and ISO 27018 (cloud privacy) provide a clear framework for both.
This guide translates those requirements into plain language—so you can ask the right questions, make informed decisions,
and ensure your cloud encryption strategy actually works.
The Two ISO Cloud Standards: A Quick Refresher
Before diving into encryption specifics, let’s clarify what these standards cover.
| Standard | Focus Area | Applies To |
|---|---|---|
| ISO 27017 | Security controls for cloud services | Both cloud providers and customers |
| ISO 27018 | Protection of personal data (PII) in public cloud | Public cloud providers processing PII |
Neither is a standalone certification. They are implemented within your ISO 27001 ISMS and assessed during your regular audit cycle.
ISO 27017 addresses the shared responsibility model and adds cloud-specific guidance including expectations around encryption and key management.
ISO 27018 focuses specifically on protecting PII and emphasizes encryption plus transparency and customer control.
The Two States of Data: At Rest and In Transit
Data at Rest
Data at rest includes:
- Files stored in cloud storage (S3, Azure Blob, SharePoint)
- Databases and backups
- Virtual machine disks
- Archived data
What ISO 27017/27018 expect:
- Strong encryption for data at rest, especially when it contains PII
- Clear policies on what is encrypted and why
- Documentation of encryption methods and key management practices
Data in Transit
Data in transit includes:
- Data moving between your office and the cloud
- Data moving between cloud services
- Data moving between cloud regions
What ISO 27017/27018 expect:
- Encryption of all PII transmitted over public networks (TLS 1.2+)
- Protection of administrative connections to cloud environments
- Secure distribution of any cryptographic materials
The Encryption Decision Matrix
| Data Type | At Rest Requirement | In Transit Requirement | Who’s Responsible |
|---|---|---|---|
| Customer PII | Strong encryption (e.g., AES-256) | TLS 1.2+ | Mostly provider, customer verifies |
| Employee PII | Strong encryption | TLS 1.2+ | Shared (depends on service model) |
| Intellectual property | Encryption recommended | Encryption recommended | Customer (may use provider tools) |
| Public data | None required | None required | N/A |
Free: Cloud Encryption Governance Pack
Includes a key ownership decision tree, a shared responsibility matrix template, and an audit-ready encryption policy outline.
The Critical Question: Who Holds the Keys?
ISO 27017 addresses this directly by expecting cloud providers to offer customers the ability to independently control encryption keys (especially for higher-risk data and regulated workloads).
The Key Management Spectrum
| Model | Who Controls Keys | Best For | ISO Alignment |
|---|---|---|---|
| Provider-managed keys | Cloud provider | Low-risk data, startups | Meets basic expectations |
| Customer-managed keys (CMK) | Customer uses provider KMS | Most organizations | Aligns with ISO 27017 |
| Customer-provided keys (BYOK) | Customer generates, provider stores/uses | Regulated industries | Strong alignment |
| Hold Your Own Key (HYOK) | Customer controls HSM | Highest security needs | Often exceeds requirements |
What ISO 27017 Specifically Expects
| Requirement | What It Means |
|---|---|
| Encryption key inventory & lifecycle | Track keys, owners, purpose, rotation, expiry, revocation |
| Customer key control capability | Provider offers options for customers to manage/control keys (where applicable) |
| Monitoring key activities | Log and alert on key creation, usage, access, deletion, policy changes |
| Documented cryptographic controls | A documented policy describing algorithms, scope, responsibilities, and review cadence |
The Key Lifecycle (Made Simple)
| Stage | What Happens | Compliance Consideration |
|---|---|---|
| Generation | Keys are created | Use strong algorithms; prefer HSM/KMS-backed generation |
| Storage | Keys are stored securely | Never in plaintext; use HSM or secure KMS |
| Distribution | Keys are made available to authorized systems | Encrypted channels; strict access and approvals |
| Rotation | Keys are renewed | Automate; document frequency and exceptions |
| Revocation | Keys are retired/disabled | Immediate if compromised; ensure secure deletion |
| Audit | All events are logged | Track access, changes, and usage to meet monitoring expectations |
Key Management Technologies
| Technology | What It Is | Why It Matters |
|---|---|---|
| KMS | Cloud service for creating and managing keys | Practical rotation, access control, audit logging |
| HSM | Hardware device for key storage and operations | Keys never leave the hardware; strongest protection |
| Cloud HSM | HSM-grade protection delivered as a cloud service | HSM security without owning and operating physical hardware |
Encryption and PII: What ISO 27018 Adds
ISO 27018 builds on ISO 27017 with privacy-specific requirements.
| Requirement | What It Means for Your Organization |
|---|---|
| Encrypt PII over public networks | TLS for all external connections and integrations |
| Transparency about subprocessors | Know who handles your data and where it flows |
| No use of PII for marketing without consent | PII should not be mined for provider benefit without permission |
| Return/deletion policies | Get your data back and deleted on exit, with clarity |
| Support data subject rights | Ability to access, correct, delete PII when required |
The Microsoft Example
Microsoft’s Azure and Office 365 have long aligned with ISO 27018 expectations in practice through customer key options,
strong auditability, controlled support access, and regular third-party assurance.
If they do not, you need to assess and document the gaps yourself.
Practical Implementation: What to Do
For Cloud Customers (Most Organizations)
| Action | Why It Matters |
|---|---|
| Review provider certifications | ISO 27018 alignment is a strong signal for cloud PII protections |
| Enable customer-managed keys (where available) | Improves control and matches ISO 27017 expectations for key control options |
| Document key responsibilities | Clarifies shared responsibility and reduces audit ambiguity |
| Test data export and deletion | Proves you can exit cleanly and remain compliant on termination |
| Review subprocessor lists | You cannot govern what you cannot see |
| Enable MFA for cloud consoles | Protects the admin layer where keys and crypto policies are controlled |
For Cloud Providers
| Action | ISO Expectation |
|---|---|
| Offer customer-managed key options | ISO 27017 |
| Provide transparency on subprocessors | ISO 27018 |
| Monitoring/alerting on key usage | ISO 27017 |
| Document shared responsibilities clearly | ISO 27017 |
| Support data subject rights | ISO 27018 |
Questions to Ask Your Cloud Provider
- “Do you hold ISO 27018 certification? Can we see the scope?”
- “Do you offer customer-managed encryption keys? How does it work?”
- “Where are our keys stored KMS or HSM? What assurance level?”
- “Who are your subprocessors? How do we get notified of changes?”
- “What happens to encrypted data when we terminate the contract?”
- “Can we export our data—including encrypted backups in a usable format?”
- “How do you support data subject access requests?”
Common Pitfalls to Avoid
Certification applies to provider controls. Your responsibility access management, configuration, and data classification remains yours.
Set-and-forget encryption is not governance. Automate rotation policies and document exceptions.
ISO 27017 expects monitoring of key activities. Enable logs and review them, not just collect them.
Lose your keys, lose your data. Build backup/recovery procedures and test them.
Algorithms weaken. Standards evolve. Review your encryption strategy annually.
The Decision-Maker’s Checklist
| Check | Question | ISO Reference |
|---|---|---|
| ☐ | Do we know which cloud services process PII? | 27018: Scope |
| ☐ | Is all PII encrypted at rest and in transit? | 27018: PII protection expectations |
| ☐ | Do we control our own encryption keys for sensitive data? | 27017: Key control options |
| ☐ | Is key rotation automated and documented? | Best practice |
| ☐ | Are key management activities logged and monitored? | 27017: Monitoring |
| ☐ | Have we reviewed subprocessors for cloud providers? | 27018: Transparency |
| ☐ | Can we export and delete data when a contract ends? | 27018: Return/deletion |
| ☐ | Do we have a documented encryption policy? | 27017: Cryptographic controls |
| ☐ | Are admin connections encrypted and MFA-protected? | Best practice |
| ☐ | Do we review provider certifications annually? | 27018: Assurance/audit expectations |
How Canadian Cyber Helps
Canadian Cyber’s SharePoint ISMS platform helps you manage encryption and key management requirements without the headache.
| Feature | How It Helps |
|---|---|
| Control evidence folders | Store encryption policies, key rotation logs, audit reports |
| Vendor register | Track certifications, subprocessors, contract expiry |
| Risk register | Document cloud encryption risks and mitigations |
| Policy templates | Encryption policy, key management policy, shared responsibility matrix |
| Access reviews | Quarterly reviews of who can access key management systems |
| Audit trails | Audit-ready evidence for auditors no scrambling |
— CISO, Financial Services Firm
The 15-Minute Encryption Assessment
We’ll review your current cloud providers, key management practices, and compliance gaps and tell you exactly where the risk sits.
The Question Every Leader Must Answer
If the answer is “I think so” or “I’d have to ask IT,” you have work to do.
ISO 27017 and ISO 27018 give you the framework. Your cloud providers give you the tools. Your team gives you the oversight.
The combination is unbeatable.
Conclusion: Encryption Is Governance, Not Just Technology
Encryption and key management are governance decisions that determine:
- Who really controls your data
- Whether you can prove compliance
- Whether you can leave a cloud provider on your terms
- Whether you sleep well after reading breach headlines
ISO 27017 and ISO 27018 provide a clear path:
- Encrypt data at rest and in transit
- Control your keys where it matters
- Monitor and log key activities
- Document responsibilities and policies
- Review annually
Follow that path and you will never have to guess whether your cloud data is safe. You’ll know.
About the Author
Canadian Cyber helps organizations navigate the complexity of cloud compliance. We don’t just understand encryption we understand the governance, the standards, and the practical steps to get it right.
Let’s secure your cloud data.
Encryption at a Glance
| Data State | Requirement | Typical Technology |
|---|---|---|
| At rest | Strong encryption for PII | AES-256, KMS, HSM |
| In transit | TLS for external connections | TLS 1.2+, VPN |
| Keys | Customer control option where it matters | Cloud KMS, BYOK, HSM |
| Audit | All key events logged and reviewable | Cloud audit logs, SIEM |
