ISO/IEC 27017 Cloud Security Controls

What is the Purpose of ISO 27017?

ISO 27017 supplements the ISO/IEC 27002 framework for cloud computing environment by including supplementary information, security measures, and implementation guidance. This framework provides implementation guidance on 37 controls found in ISO/IEC 27001, as well as seven additional requirements.

New cloud controls that address the following best code of practice:

• Who’s responsible for what between the cloud service provider and the cloud customer.
• The removal/return of assets when a contract is terminated.
• Protection and separation of the customer’s virtual environment.
• Virtual machine configuration.
• Administrative operations and procedures associated with the cloud environment, letting customers monitor relevant activities.
• Cloud customer monitoring of activity within the cloud.
• Virtual and cloud network environment alignment.
• Information security controls based on the ISO 27001 standard and ISO 27017 framework.

By adopting this code of practice, cloud consumers and providers can now meet baseline information security requirements by selecting relevant controls and implementation guidance based on risk assessments for cloud services.

If you work for a cloud service provider or are considering moving your company to the cloud. Our ISO 27017 overview will help you understand the framework core components, new controls and how this code of practice will benefit your organisation.

Why Implement ISO 27017?

It’s crucial for clients to have confidence in the safety of their data in the cloud. ISO/IEC 27017 is a globally recognised framework that, when implemented, will effectively reduce the likelihood of data breaches and increase customer trust by demonstrating your commitment to information security techniques.

As pointed out, the framework addresses various issues, including asset ownership, the removal and return of assets after termination of a customer contract, and security of a customer’s virtual environment.

The framework defines administrative operations for handling a cloud environment—requirements to harden a virtual machine according to business needs.

As a cloud service provider or a cloud service user, it is vital to show your organisation is doing everything possible to minimize the risks posed by data breaches.

ISO 27017 is based on the ISO 27001 standard and ISO 27002 framework, implementation demonstrates that your organisation has put in place best practices to protect against cloud-related threats for both cloud service providers and cloud service customers. It complements however doesn’t replace the requirements of ISO/IEC 27002.

Who Should Implement ISO 27017?

If you operate a cloud storage service use a SaaS, or cloud storage directly in your business, ISO 27017 is important to ensure you follow best practice.

ISO 27017 is increasingly becoming a requirement to be considered for specific large-scale and government projects. As these organisations will only partner with businesses that demonstrate a systematic commitment to risk mitigation.

Any legal, contractual, regulatory or other cloud specific information security requirements will affect the selection of appropriate information security controls of the implementation of the framework.

This certification is a must-have for any company that uses or wishes to provide their customers with secure cloud services. It proves that they’ve implemented ISO 27017 information security controls.

This is a great way for any company to show their commitment to protecting customer information. By getting certified, you’ll set yourself apart from the competition and give your customers peace of mind. You’ll be demonstrating your knowledge and expertise on this important subject.

Inspires confidence in your organisation

Gives robust validation to customers and partners about the security of their data and information.

Secures your brand image

Mitigates the possibility of negative attention as a result of data breaches.

Protection from fines

Demonstrates consistent standards, making it easier to conduct business internationally and gain exposure as a trusted provider.

Contributes to business growth

Communication is key when it comes to Information Security Governance processes. You are entrusted with keeping your company and its various assets secure, but it cannot be an isolated process.

What Standards Do ISO 27017 Integrate With?

ISO 27017 is compatible with other ISO standards. These include the following:

• ISO 27001: specifications for operating an information security management system.
• ISO 27002: a list of basic security controls that a business can employ.
• ISO 27018: standards covering the protection of personal data in the cloud.

ISO 27017 is an expansion of ISO 27002 that includes additional information for information security controls that are necessary for protecting data in the cloud. It also adds several new ones, and enhances the standard’s applicability to the cloud computing industry.

ISO 27017 provides guidelines for both providers and users of cloud services. It notes that due to the way cloud computing operates, the same organisation can be both a customer and a provider of cloud services.

How Does ISO 27017 Integrate with ISO 27002?

ISO 27017 is structured similarly to ISO 27002, namely in the form of a checklist of potential security controls. Individual organisations will need to determine which controls are applicable to their circumstances, may vary according to their position as cloud service providers, customers, or both.

The guidelines in this International Standard provide support for information security control implementation by both cloud service customers and providers. It’s an excellent framework for anyone who offers cloud services to clients.

Specific controls are applicable to both providers and customers, while some have specific applications.

The most notable contribution to ISO 27002 by ISO 27017 is the clarification on backups. It states that:

• Cloud service customers should specify the backup functionality they need from the provider, check that offered service meets their requirements, and make their own arrangements if the provided service is insufficient; and
• Cloud service providers should have “safe and separate access to backups” and specify the backup capabilities.

ISO 27001, ISO 27017, or ISO 27018 – Which to go for?

ISO 27001 is an ideal cornerstone standard for any business seeking to secure its data. It’s now the most widely used standard globally. It establishes a system for maintaining compliance in information security controls, and the only standard against which a (valid) certificate can be obtained.

ISO 27017 international framework is undoubtedly relevant to businesses that provide cloud-based services and want to cover all bases for cloud computing security.

ISO 27018 is more geared toward companies that manage personal data and want to ensure it’s protected appropriately.

Cloud service providers can adopt ISO 27001 in combination with ISO 27017, while cloud companies with a high volume of personal data will almost certainly implement all three: ISO 27001, ISO 27017, and ISO 27018.