ISO 27001 provides a robust foundation for information security, but it was designed as a generic standard. It does not specifically address the unique security challenges of cloud computing. That is where ISO 27017 comes in. This standard provides cloud-specific implementation guidance and introduces additional controls that go beyond what ISO 27001 covers.
What ISO 27017 adds
ISO 27017 builds on the control framework of ISO 27002 by providing cloud-specific implementation guidance for existing controls and introducing seven entirely new controls. These additional controls address areas that are unique to cloud environments: the segregation of virtual computing environments, virtual machine hardening, administrator operational security, shared responsibility delineation, secure cloud service removal, and the protection and separation of customer cloud service environments.
For each existing ISO 27002 control, ISO 27017 provides specific guidance for both cloud service providers and cloud service customers. This dual perspective is one of the standard's greatest strengths, because security in the cloud is never the sole responsibility of one party.
The shared responsibility model
Cloud security operates on a shared responsibility model, and ISO 27017 formalizes this concept. The standard requires clear documentation of which security responsibilities belong to the cloud service provider and which belong to the customer. This delineation varies depending on the service model (IaaS, PaaS, or SaaS), and ISO 27017 provides guidance for each.
In practice, we see that many organizations assume their cloud provider handles more security than they actually do. ISO 27017 forces a structured conversation about these boundaries. Who is responsible for encryption key management? Who monitors for unauthorized access? Who ensures data is properly deleted when a service is terminated? These are questions that every cloud customer should be able to answer clearly.
Relationship with ISO 27018
ISO 27017 focuses on security, while its companion standard ISO 27018 focuses specifically on the protection of personally identifiable information (PII) in public cloud environments. Together with ISO 27001, these three standards form a comprehensive cloud security and privacy framework. Many cloud service providers pursue all three certifications to provide maximum assurance to their customers.
Practical implementation
ISO 27017 is implemented as an extension to an existing ISO 27001 ISMS. Organizations that are already certified to ISO 27001 can integrate the cloud-specific controls into their existing framework without building a separate management system. The certification is typically added as an extension to the ISO 27001 certificate.
At Secure Audit, we help cloud service providers and cloud-dependent organizations implement ISO 27017 as part of a comprehensive cloud security framework. Whether you are a provider looking to strengthen your offering or a customer wanting assurance about your cloud security posture, we can guide you through the process.
About the author
Partner | IT Auditor