Initial Release
A practical, audit-ready implementation toolkit for ISO/IEC 27017:2015 (Cloud Security Controls) and ISO/IEC 27018:2019 (PII Protection in Public Clouds), aligned to ISO 27001:2022 and ISO 27002:2022.
What's Included
- Gap Assessment — Cloud security gap assessment checklist covering all 27017 + 27018 controls
-
- Cloud Policies — Cloud Security Policy, Cloud PII Policy, Cloud Acceptable Use Policy
-
- Scope & Context — Scope statement, asset/PII inventory, issues register, interested parties, legal register
-
- Leadership — Governance, RACI matrix, CSO terms of reference, leadership commitment
-
- Planning — Risk assessment methodology, risk register, risk treatment plan, Statement of Applicability (SoA)
-
- Operations — Shared responsibility matrix, breach response, DPIA, DSR, cross-border transfer, encryption & key management
-
- ISO 27017 Controls Reference — All 7 cloud-only CLD controls + 37 ISO 27002 extensions
-
- ISO 27018 Controls Reference — Full Annex A PII processor obligation catalogue
-
- Evidence Packs — Audit-ready evidence templates (access review, vulnerability scan, CAR records)
-
- Worked Example — End-to-end Nexus Cloud Services Ltd worked implementation
-
- Python GRC Scripts —
cloud_soa_tracker.py,cloud_gap_checker.py,dpia_cloud_scorer.pywithrequirements.txt
- Python GRC Scripts —
-
- Cross-Mapping — GDPR, UAE PDPL, NIST CSF 2.0, CSA CCM v4, SOC 2, FedRAMP
-
- Supplementary Templates — DPA template, CSA review checklist, supplier assurance questionnaire, privacy notice, certification readiness checklist
Standards Covered
| Standard | Scope |
|---|---|
| ISO/IEC 27017:2015 | Cloud-specific security controls (CSP + CSC) |
| ISO/IEC 27018:2019 | PII protection in public clouds (PII processors) |
| ISO/IEC 27001:2022 | ISMS framework alignment |
| ISO/IEC 27002:2022 | Control implementation guidance |