ISO 27017 – Security Controls for Cloud Services
Introduction
Cloud services emerged in the mid-2000s and have continued to develop to become a mainstream technology option for most organisations. However, cloud is not just a minor technology change, it is both a strategic opportunity and a strategic challenge for organisations. The range of cloud services continues to grow, and security continues to be a key factor and enabler for cloud use. The evolution of security for cloud has resulted in cloud service providers being at the forefront of security and cloud customers have a high understanding and expectations of a robust cloud security.
As part of the International Standardization Organisation ISO’s family of Information Security Standards known as ISO 27000 a key standard is ISO 27017: associated with the Code of Practice for Information Security Controls is based on ISO/IEC 27002 for Cloud Services is specifically designed to be applied to cloud environments from the perspectives of both the provider and the consumer / customer. The standard provides additional cloud-focused implementation guidance for relevant controls.
Cloud Guidance introduced by ISO 27017 in relation to ISO 27002
For each security control the ISO 27017 standard highlights the applicability of using ISO 27002 guidelines for cloud and provides further information where relevant. The table below lists controls to be utilised and implementation guidelines are further defined for cloud services in addition to the guidelines provided within ISO 27002.
New controls introduced by ISO 27017
Furthermore, the ISO 27017 introduces additional controls with implementation guidance that specifically relate to cloud services which can be found within the Annex of the standard under “Cloud service extended control set”. The table below lists down the additional controls with a brief description.
Whether organisations are providers or consumers of cloud service, aligning with ISO 27017 provides assurances that the relevant controls have been complied with and good practices followed.