Uncategorized
ISO 27017: 2015 Cloud security
Courtesy: ISO 27017: 2015 Cloud security
This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002:2013 and other ISO27k standards.
Scope and purpose
The code of practice provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002:2013, in the cloud computing context.
The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section. For instance, section 6.1.1 on information security roles and responsibilities says, in addition to section 6.1.1 of ISO/IEC 27002:2013:
| Cloud service customer | Cloud service provider |
| The cloud service customer should agree with the cloud service provider on an appropriate allocation of information security roles and responsibilities, and confirm that it can fulfil its allocated roles and responsibilities. The information security roles and responsibilities of both parties should be stated in an agreement. The cloud service customer should identify and manage its relationship with the customer support and care function of the cloud service provider. | The cloud service provider should agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers, and its suppliers. |
The standard cites ISO/IEC 27000 and 27002:2013, of course, plus ISO/IEC 17788 (Cloud computing – Overview and vocabulary) and ISO/IEC 17789 (Cloud computing – Reference architecture). Curiously, although ISO/IEC 27001 is noted in the bibliography, it is not considered ‘normative’ i.e. essential reading: although unusual, it is possible to make use of the controls recommended by ISO/IEC 27002 without also having an ISMS.
Status of the standard
The first edition was published in 2015. Having been developed jointly by ISO/IEC and ITU-T, the standard is dual-numbered as both ISO/IEC 27017 and ITU-T X.1631 with identical content.
Work on a second edition started in 2022. It will be updated to “capture a full set of guidance for information security controls applicable to cloud services, both from the third edition of ISO/IEC 27002 and any additional controls specific related specifically to cloud services.” SC 27, SC 38 and ITU-T are collaborating on this. Publication is planned for 2025.
