ISO 27017

 

What is ISO 27017?

ISO 27017 is an information security standard which provides guidelines for implementing information security controls applicable to the provision and use of cloud services.

This standard inherently provides additional implementation guidance for cloud services and relevant controls specified in ISO 27002. Furthermore, ISO 27017 provides controls and implementation guidance for both cloud service providers and cloud service customers.

 

Who requires an ISO 27017 certification?

Organisations that are cloud service providers require an ISO 27017 certification as it outlines specific security controls and best practices for managing information security within cloud computing environments. Any organisation that provides a cloud service would benefit from becoming certified in this standard.  

How can ISO 27017 benefit your business?

Becoming certified for ISO 27017 can bring a wide range of benefits to your organisation, including:

 

• Clearer cloud service expectations


• Reducing the risk of data breaches


• Competitive advantage


• Operational efficiency

How can you prepare for an ISO 27017 Certification?

Although the thought of starting the certification process may seem daunting, there are a variety of steps you can take to make the process to becoming certified far more streamlined:

 

• Familiarise yourself with the ISO 27001 standard


• Document your cloud security policies and procedures to ensure they are compliant with the standard


• Develop a remediation plan


• Carry out internal audits to highlight any areas for improvement


• Provide training to staff to ensure all employees are compliant with the standard

What are the key requirements ISO 27017?

When working towards becoming certified for ISO 27017, there are various areas that will be a focus during the audit. These areas include:

 

• Cloud contract security


• Shared responsibility model


• Compliance with regulations


• Due diligence on providers

What clauses make up the structure of ISO 27017?

 

 

Clause 1-3 – Introductory Clauses:

The first three clauses of ISO 27017 provide an introduction to the scope of the standard, the normative references to other related standards such as 27002 and the definitions and abbreviations of terms used throughout the standard

Clause 4 – Cloud sector-specific concepts

Clause 4 covers the forms of relationships in cloud services, explores the processes for managing information security risks and delves further into the overall structure of ISO 27017.

 

Clause 5 – Information security policies

Clause 5 briefly touches on the policies that surround cloud services, customers and providers. Alongside other areas in the standard that policies may effect.

 

Clause 6 – Organisation of information security

Clause 6 focuses on the roles and responsibilities of a cloud service customer and providers. Additionally, this clause makes several references to ISO 27002 when addressing special interest groups, project management and mobile devices.

 

Clause 7 – Human resource security

Clause 7 outlines the controls that must be in place prior to and during employment. And although the majority of subclauses refer to the ISO 27002, new guidance has been added regarding information security awareness, education and training.

 

Clause 8 – Asset management

Clause 8 explores the responsibility for assets, classification of information and media handling in detail and provides further guidance on the implementation for customers and providers.

 

Clause 9 – Access control

Clause 9 introduces additional controls surrounding the granting of access to networks and network services, user access management and user responsibilities for those with access.

 

Clause 10 - Cryptography

In this shorter section, clause 10 provides sector specific implementation guidance to accompany policies on the use of cryptographic controls and key management. Including functionality and encryption.

 

Clause 11 – Physical and Environmental Security

Clause 11 places further guidance on the controls in place to ensure the highest level of physical and environmental security and includes further controls on the secure disposal or reusage of equipment.

 

Clause 12 – Operations Security

Clause 12 expands greatly on the operational procedures and responsibilities that accompany the implementation and enforcement of security. This section covers change management, protection from malware, backup processes, logging and monitoring, and vulnerability management.

 

Clause 13 – Communications Security

Clause 13 switches the focus on security controls to communication and further develops the subclauses on network services and information transfers.

 

Clause 14 – System acquisition, develop and maintenance

Clause 14 provides a large amount of sector specific guidance on the analysis and specifications of information security requirements, development policies further information relating to cloud services.

 

Clause 15 – Supplier relationships

In addition to the guidance provided in 27002, clause 15 provides additional information security controls regarding supplier relationships, supplier agreements, and delivery management.

 

Clause 16 – Information security incident management

Clause 16 further expands on the responsibilities, procedures and reporting processes that have been implemented for information security incident management.

 

Clause 17 – Information security aspects of business continuity management

In another short section, clause 17 directly references new subclauses to the already existing guidance in ISO 27002 on Business Continuity Management.

 

Clause 18 - Compliance

In the final section of the standard, clause 18 addresses compliance controls as a whole in regards to cloud services. This includes sector specific guidance on applicable legislation, contractual requirements, intellectual property rights and the protection of records.

How long will your ISO 27017 certificate be valid for?

Your ISO 27017 certificate will be valid for at least three years; dependent on the type of site that is being certified.  

 

Ready to get started? Apply using the quotation link below.