ISO/IEC 27017:2015 is an information security code of practise for cloud services. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls for cloud service providers and for cloud service customers. An organisation implementing the standard would select the relevant controls for their circumstances.
As an extension to ISO 27002, ISO 27017 provides guidance on 33 27002 controls, as well providing some additional controls:
The shared roles and responsibilities between the cloud service providers and customers
Removal and return of cloud service customers assets when a contract has been terminated
Segregation in virtual computing environments
Secure hardening of virtual machines
Documenting critical operational procedures
Allowing cloud service customers to be able to monitor relevant activities within the cloud
The alignment of security management for both virtual and physical networks
Why implement ISO 27017?
Making clients feel safe about their data being stored in the cloud is vital. Having ISO/IEC 27017 standard allows an internationally standardised framework that can help reduce the risk of data breaches and build customer trust by showing your commitment to information security. The standard also gives guidance to cloud service customers on what they should want from their cloud service hosts.
The standard covers a range of topics such as asset ownership, removal and return of assets when a customer contract has been terminated, protection and separation of a customer’s virtual environment and more. With a growing risk of cloud data breaches now more than ever is important to know you and your organisation are doing the most to try and reduce these risks as a cloud service provider and/or a cloud service customer.
As ISO 27017 is built from the foundations of ISO 27001 and ISO 27002 framework, the certification shows compliance internationally and helps your organisation for both the cloud service providers and cloud service customers against risks within the cloud.
How NQA can help you
With a wealth of experience providing accredited management systems certifications, NQA is ideally placed to partner with you to meet stakeholder requirements and exceed industry expectations.
Technical committees and industry relationships. NQA is highly involved in a wide variety of industry committees and standards writing teams, helping us to maintain a keen awareness of changes within the industry.
Knowledge transfer supporting our customer’s organizational strategy. NQA is committed to ensuring customer awareness regarding changes in industry strategy, regulations, and standard requirements that may impact your management system approach.
If you are interested in understanding how NQA can assist you in gaining certification against ISO 27017 please contact our sales team.