ISO/IEC 27017:2015
Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.
This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002, and provides additional controls to address cloud-specific information security threats and risks referring to clauses 5-18 in ISO/IEC 27002: 2013 for controls, implementation guidance, and other information. Specifically, this standard provides guidance on 37 controls in ISO/IEC 27002, and it also features seven new controls that are not duplicated in ISO/IEC 27002.
These new controls address the following important areas:
Shared roles and responsibilities within a cloud computing environment
Removal and return of cloud service customer assets upon contract termination
Protection and separation of a customer's virtual environment from the environments of other customers
Virtual machine hardening requirements to meet business needs
Procedures for administrative operations of a cloud computing environment
Enabling customers to monitor relevant activities within a cloud computing environment
Alignment of security management for virtual and physical networks
ISO/IEC 27017 is unique in providing guidance for both cloud service providers and cloud service customers. It also provides cloud service customers with practical information on what they should expect from cloud service providers. Customers can benefit directly from ISO/IEC 27017 by ensuring they understand the shared responsibilities in the cloud.
The standard provides cloud-based guidance on 37 of the controls in ISO/IEC 27002 but also features seven new cloud controls that address the following:
Who is responsible for what between the cloud service provider and the cloud customer
The removal/return of assets when a contract is terminated
Protection and separation of the customer’s virtual environment
Virtual machine configuration
Administrative operations and procedures associated with the cloud environment
Cloud customer monitoring of activity within the cloud
Virtual and cloud network environment alignment