Cloud computing has revolutionised the way many organisations operate. The flexibility, scalability, and cost savings offered by cloud services are appealing. However, embracing the cloud also introduces new information security risks that must be addressed. This is where ISO 27017 comes in.
ISO 27017 provides guidance on implementing information security controls specifically for cloud services. It builds upon the recommendations in ISO 27002 by adding extra controls and implementation guidance relevant to cloud environments.
In this article, we’ll explore ISO 27017 to understand how it can be applied to enhance cloud security. Whether you are a startup adopting SaaS or an enterprise migrating to the cloud, the insights will help you navigate ISO 27017 and leverage it effectively. 🚀
What is ISO 27017?
ISO 27017 is an international standard published jointly by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). Officially titled “Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services,” it provides guidelines for security controls when using cloud computing services.
The standard was designed to address the unique information security challenges encountered with cloud environments that are not fully covered in the existing ISO 27002 standard.
Specifically, ISO 27017:
- Provides additional guidance to implement controls from ISO 27002 that are relevant for cloud services.
- Defines new controls not present in ISO 27002 but important for cloud security.
- Assists both cloud service customers and providers in addressing cloud computing risks and protecting information in the cloud.
It is an extension and complement to ISO 27002, not a replacement. Organisations still need to implement the baseline information security controls from ISO 27002 in addition to relevant ones from ISO 27017.
How Does ISO 27017 Integrate with ISO 27001 and ISO 27002?
To understand the purpose and scope of ISO 27017, it is helpful to see how it fits into the broader ISO 27000 family of information security standards:
- ISO 27001 – Specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
- ISO 27002 – Provides best practice recommendations and guidance for implementing information security controls within an ISMS.
- ISO 27017 – Extends ISO 27002 guidance specifically for cloud computing environments.
The relationship can be summed up as:
- ISO 27001 mandates the ISMS requirements
- ISO 27002 recommends information security best practices
- ISO 27017 enhances ISO 27002 recommendations with additional guidance tailored to the cloud
So while ISO 27001 sets out the requirements and ISO 27002 provides baseline controls, ISO 27017 acts as an extension to ISO 27002 for cloud-specific guidance.
ISO 27017 controls are designed to manage the unique risks associated with cloud adoption like loss of governance, multi-tenancy risks, and dependency on the cloud provider.
By implementing ISO 27017 alongside ISO 27001/27002, organisations can create a robust information security management framework customised for the cloud.
Key Benefits of Implementing ISO 27017
Some of the key benefits of applying ISO 27017 include:
Strengthened Cloud Security Posture 💪
ISO 27017 guidelines help strengthen overall security strategies, policies, and controls tailored to cloud environments. Organisations can reduce cloud security risks and improve security posture.
Streamlined Compliance 🎓
For organisations needing to comply with regulations like HIPAA or PCI DSS, ISO 27017 makes it easier to extend compliance programs to the cloud.
Assurance to Customers 👐
Cloud service providers can demonstrate commitment to security and give customers confidence by showing compliance with ISO 27017.
Shared Responsibility 🤝
ISO 27017 clearly defines shared roles and responsibilities between cloud providers and customers which enables effective security management.
Competitive Advantage ⚡
A strong cloud security posture enabled by ISO 27017 allows organisations to leverage the cloud with reduced risk – a competitive advantage.
Industry Best Practices 👍
ISO 27017 leverages industry expertise to provide best practice recommendations refined over time and endorsed by the security community.
Overview of ISO 27017 Contents
Now let’s look at what’s inside ISO 27017 and how it’s structured.
The standard comprises several sections:
- Introduction -Explains the purpose, scope, and relationship with ISO 27001/27002.
- Cloud concepts – Key cloud computing concepts and terminology.
- Controls – Specifies 14 cloud-focused controls grouped into domain areas like access control, cryptography, operations security etc.
- Implementation guidance – Each control has specific guidance for both cloud service customers and providers to aid implementation.
- Other information – Additional cloud security considerations relevant to certain controls.
- Annexes – References like risk assessment guide for cloud security (Annex B) and extended controls (Annex A).
By mirroring the clause structure of ISO 27002, ISO 27017 seamlessly integrates additional cloud security recommendations within the familiar framework.
The chunked implementation guidance allows both customers and providers to quickly identify their specific responsibilities in implementing a particular control.
Cloud-Specific Controls in ISO 27017
Now let’s look at some of the key information security controls defined in ISO 27017 to address cloud security challenges:
Asset Management
- Return/removal of assets (sec 8.1) – This control handles asset return and removal when cloud contracts end to prevent unauthorised data retention.
Human Resources
- Shared roles and responsibilities (sec 6.1) – Defines security roles and responsibilities to be shared between cloud provider and customer staff.
Access Control
- Segregation in virtual environments (sec 9.4) – Ensures proper segregation between tenants in multi-tenant cloud environments using virtualisation.
- Virtual machine security – Requires hardening and securing of virtual machines according to guidelines.
Cryptography
- Cryptographic controls – Specifies use of encryption aligned with organisational policies and legal/regulatory compliance.
Operations Security
- Monitoring cloud services (sec 12.4) – Requires capabilities to monitor cloud service usage, configuration, metrics.
- Network configuration (sec 13.1) – Mandates consistency between virtual network and underlying physical network configurations.
- Administrative operations – Secures administrative/privileged operations through supervision, logging and procedures.
Communications Security
- Virtual and physical network alignment (sec 13.1) – Ensures consistency between security controls implemented on virtual networks vs physical networks.
This covers some of the key areas addressed by cloud-specific controls in ISO 27017 – but there are additional critical controls as well.
Key Areas of Focus for Implementation
While the entire standard is valuable, some sections require special attention during implementation for customers or providers.
For Cloud Service Customers:
- Understand the shared responsibility model and ensure security roles are clearly defined between you and the provider.
- Classify data, applications, VMs, and associated assets that are migrated to the cloud – retain inventories.
- Manage identities and access controls for your users spanning both on-prem and cloud environments.
- Implement cryptographic solutions aligned with regulations and data sensitivity as needed.
- Monitor service performance, security events, metrics and logs from provider where available.
For Cloud Service Providers:
- Provide security controls allowing customers to protect data, segregate tenants, and monitor service securely.
- Share responsibilities matrix, architecture, security controls, certifications with customers.
- Ensure security controls consistency between physical and virtual layers, especially for networks.
- Support customer identity management and access integration where feasible.
- Build security monitoring, management and reporting capabilities customers can use.
Achieving ISO 27017 Certification
For organisations looking to get certified against ISO 27017, the process mirrors ISO 27001 certification:
- Project initiation – scope, budget, resources etc.
- Gap analysis – compare existing practices to ISO 27017 requirements.
- Implementation – implement controls from ISO 27017 alongside ISO 27001/27002.
- Internal audit – assess conformance to defined requirements.
- Corrective actions – remediate gaps identified during audit.
- External certification – accredited certification body verifies compliance through audits.
- Surveillance audits – periodic audits to maintain certification.
The time and effort required depends on the organisation’s existing information security posture. Those with robust ISO 27001 systems can extend them to incorporate ISO 27017 guidance.
Bringing It All Together
While organisations rush to adopt cloud services, ISO 27017 brings a much needed set of security guidelines tailored to the unique nature of the cloud.
By providing focused implementation guidance for both customers and providers, it enables organisations to maximise cloud benefits while minimising the new risks introduced.
For providers, committing to ISO 27017 helps build trust and transparency with customers about their cloud security practices.
And customers can leverage ISO 27017 to select cloud services, monitor security, and complement their internal controls for a seamless security framework spanning their hybrid environments.
The insights we have explored should help you get started on the path to applying ISO 27017’s cloud-specific recommendations within your organisation! Reach out if you need any guidance in adopting ISO 27017.