ISO 27017
Cloud-specific controls for information security.
Overview
ISO/IEC 27017 is an international standard that provides guidelines for information security controls applicable to the provision and use of cloud services.
It supplements ISO/IEC 27002 by providing additional cloud-specific implementation guidance, helping both cloud service providers and customers manage the security of cloud-based environments.
The standard addresses shared responsibilities, clarifies roles, and introduces new controls for cloud-specific risks such as virtualization, customer data segregation, and cloud customer monitoring of provider activities.
Key Requirements
- Define and document shared security responsibilities between cloud provider and customer
- Implement controls for virtual machine management and protection
- Ensure customer data segregation and secure data disposal
- Establish procedures for cloud service customer monitoring of provider activities
- Manage cloud service provider relationships and third-party risks
- Maintain incident response and notification processes tailored to cloud environments
- Protect customer assets and ensure secure data transfer in the cloud
- Governing Body:
- International Organization for Standardization (ISO)
- Current Version:
- ISO/IEC 27017:2015
- Type:
- Guidance Standard
- Scope:
- Cloud service providers and customers
- Relation to Other Standards:
- Supplement to ISO/IEC 27002
- Cloud service providers (IaaS, PaaS, SaaS)
- Organizations using or evaluating cloud services
- IT and security teams managing cloud environments
- Regulated industries with cloud adoption
- Enterprises seeking to align with international best practices for cloud security
ISO 27017 Readiness Assessment
Comprehensive evaluation of your current cloud security posture against ISO 27017 requirements to identify gaps and develop a remediation plan.
Cloud Security Policy Development
Creation of tailored cloud security policies and procedures aligned with ISO 27017 and your business operations.
Control Implementation Support
Hands-on assistance with implementing technical and organizational controls for cloud environments.
Cloud Provider Risk Assessment
Evaluation and management of third-party risks associated with cloud service providers.
Incident Response Planning
Development of incident response and notification processes specific to cloud environments.