ISO/IEC 27017

From Wikipedia, the free encyclopedia

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems.[1] It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.[2] It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management. This standard was built from ISO/IEC 27002, suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002.

This International Standard provides guidelines supporting the implementation of information security controls for cloud service customers, who implements the controls, and cloud service providers to support the implementations of those controls.[3] The selection of appropriate information security controls and the application of the implementation guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements.[4]

What does the standard provide?[edit]

ISO/IEC 27017 provides guidelines for information security controls applicable to the use of cloud services by providing an additional implementation guidance for 37 controls specified in ISO/IEC 27002 and 7 additional controls related to cloud services which address the following:

  • Who is responsible for what between the cloud service provider and the cloud customer.
  • The removal or return of assets at the end of a contract.
  • Protection and separation of the customer's virtual environment.
  • Virtual machine configuration.
  • Administrative operations and procedures associated with the cloud environment.
  • Cloud customer monitoring of activity.
  • Virtual and cloud network environment alignment.[5]

Structure of the standard[edit]

The official title of the standard is "Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services". ISO/IEC 27017:2015 has eighteen sections, plus a long annex, which cover:

1. Scope
2. Normative References
3. Definitions and abbreviations
4. Cloud sector-specific concepts
5. Information security policies
6. Organization of information security
7. Human resource security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operations security
13. Communications security
14. System acquisition, development and maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance


  1. ^ "BS EN ISO/IEC 27001:2017 – What is ISO 27017?". Retrieved 8 March 2020.
  2. ^ "ISO/IEC 27017:2015 [ISO/IEC 27017:2015] Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services". International Organization for Standardization. Retrieved 8 March 2020.
  3. ^ "ISO/IEC 27017:2015(en) Introduction". businesswire. Retrieved 9 March 2020.
  4. ^ "ISO/IEC 27017:2015(en) Introduction". International Organization for Standardization. Retrieved 8 March 2020.
  5. ^ "ISO/IEC 27017". BSI Group. Retrieved 8 March 2020.

External links[edit]