ISO/IEC 27017:2015
Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services

The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.

This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002, and provides additional controls to address cloud-specific information security threats and risks referring to clauses 5-18 in ISO/IEC 27002: 2013 for controls, implementation guidance, and other information. Specifically, this standard provides guidance on 37 controls in ISO/IEC 27002, and it also features seven new controls that are not duplicated in ISO/IEC 27002.

These new controls address the following important areas:

Shared roles and responsibilities within a cloud computing environment
Removal and return of cloud service customer assets upon contract termination
Protection and separation of a customer's virtual environment from the environments of other customers
Virtual machine hardening requirements to meet business needs
Procedures for administrative operations of a cloud computing environment
Enabling customers to monitor relevant activities within a cloud computing environment
Alignment of security management for virtual and physical networks

ISO/IEC 27017 is unique in providing guidance for both cloud service providers and cloud service customers. It also provides cloud service customers with practical information on what they should expect from cloud service providers. Customers can benefit directly from ISO/IEC 27017 by ensuring they understand the shared responsibilities in the cloud.

The standard provides cloud-based guidance on 37 of the controls in ISO/IEC 27002 but also features seven new  cloud controls that address the following:

Who is responsible for what between the cloud service provider and the cloud customer
The removal/return of assets when a contract is terminated
Protection and separation  of the customer’s virtual environment
Virtual machine configuration
Administrative operations and procedures associated with the cloud environment
Cloud customer monitoring of activity within the cloud
Virtual  and cloud network environment alignment
Certification, inspection and audit solutions focused on business optimization.






WHO WE ARE           






244 Fifth Avenue, Suite 1203, New York, NY 10001 US
Security controls
It’s not only the separation of responsibilities that the standard helps define:

ISO/IEC 27017 also goes into much more detail about the type of security controls that service providers should be implementing and helping reduce the barriers to cloud adoption.

ISO/IEC 27017 offers a way for cloud service providers to indicate the level of controls that have been implemented. This means documented evidence
—backed up by independent sources like cerification to certain standards
—show that appropriate policies have been implemented and, most importantly, what types of controls have been introduced.
This information should be shared with the cloud customer before any contract is signed to help alleviate any potential issues in the future.

In cases where independent audits aren’t practical or would pose a greater risk to information security , the standard does provide an option for CSPs to self-assess.
When this is the case, the CSP must tell customers that they have self-assessed.

There’s also guidance about any cryptography being used.
This applies to the customer and the provider as both have responsibilities in this area.
The provider should tell the customer how it’s using cryptography and help customers apply protection of their own. It should also consider special cases, such as health data, where they may be some additional regulatory guidelines.
Customers should also be upfront about the type of cryptography that they’re using – and they ought be using cryptography if the risk analysis suggests that it’s needed.

In fact, this is the sort of dispute, or misunderstanding that underpins the need for the standard. Not only should both parties assure each other that the network is being protected, they should also be able to assure each other that there’s compatibility between the two systems.
And, crucially, it should be determined whether these controls apply to data at rest, in transit or both, as this has caused misunderstandings before.