ISO 27017

The standard covers areas such as the responsibility between cloud service providers and their clients, security policies, human resources security, asset management, access control, cryptography, physical and environmental security, and compliance among other things. It aims to help both parties in understanding and implementing effective cloud-specific security measures. This guidance is particularly useful in the context of the broader ISO/IEC 27000 family of standards, which support the establishment, implementation, maintenance, and continuous improvement of an information security management system (ISMS).

What are the ISO 27017 controls?

ISO/IEC 27017, as an extension to ISO/IEC 27002, introduces additional security controls specifically for cloud services, while also providing implementation guidance on existing controls in the context of cloud computing. Here’s a breakdown of the types of controls covered under ISO/IEC 27017:

1. Shared Roles and Responsibilities: Clarification of security responsibilities between cloud service providers and cloud service customers to ensure a clear understanding of who is responsible for what aspects of security.

2. Asset Management: Enhancements to control how data should be classified and managed securely in the cloud environment.

3. Human Resource Security: Guidance on ensuring that employees, contractors, and third-party users understand their responsibilities and are suitable for the roles they are considered for, especially in a cloud environment.

4. Physical and Environmental Security: Modifications to account for the physical security of data centers and other premises that may be part of the cloud service provider's infrastructure but not directly controllable by the customer.

5. Operations Security: Adjustments focusing on operational procedures and responsibilities to ensure correct and secure operations of information processing facilities.

6. Communications Security: Recommendations on managing network security, particularly in multi-tenant environments, and data transmission security.

7. System Acquisition, Development, and Maintenance: Additional guidance on ensuring that information security is an integral part of the systems development life cycle, particularly in the context of cloud systems.

8. Supplier Relationships: Controls on monitoring, reviewing, and auditing supplier service delivery.

9. Information Security Incident Management: Procedures for managing breaches in a cloud environment are crucial, including quicker and more structured responses.

10. Information Security Aspects of Business Continuity Management: Enhanced practices to ensure that cloud services can sustain and recover from disruptions or failures.

11. Compliance: Guidance on regulatory and contractual compliance, especially considering the data might be stored in multiple jurisdictions.

These controls are meant to be implemented in conjunction with the broader set of controls in ISO/IEC 27002, with specific adjustments and additions to address the nuances of cloud computing. This ensures that both cloud service providers and their customers can have robust security measures tailored to the unique challenges posed by cloud environments.

What are the benefits of ISO 27017?

Adopting ISO/IEC 27017 provides several benefits for organizations involved in cloud computing, whether they are providers or users. Here are some of the key advantages:

1. Enhanced Security Measures: ISO 27017 provides specific guidance on applying cloud security controls beyond the generic advice given in ISO/IEC 27002. This helps organizations ensure that their cloud services are secured in ways that address the unique risks associated with cloud computing.

2. Clarified Roles and Responsibilities: This standard helps clearly define the security responsibilities between the cloud service provider and the customer, reducing ambiguities and ensuring that all security bases are covered. This clarity is crucial for effective security governance and risk management in cloud environments.

3. Increased Trust and Credibility: By complying with an internationally recognized standard, organizations can demonstrate their commitment to security, which can enhance their reputation and increase trust among clients and stakeholders.

4. Better Compliance Posture: ISO 27017 helps organizations meet regulatory and legal requirements, particularly those related to data protection and privacy. This is increasingly important as laws and regulations around data security and privacy become more stringent globally.

5. Improved Risk Management: The standard provides frameworks and guidelines that help organizations identify, assess, and manage security risks in cloud services more effectively. This proactive approach to risk management can help prevent security breaches and data loss incidents.

6. Competitive Advantage: For cloud service providers, achieving ISO 27017 certification can distinguish them from competitors by signaling higher security standards, which can be a decisive factor for potential clients when choosing a cloud service provider.

7. Streamlined Security Processes: By adopting ISO 27017, organizations can integrate cloud-specific security practices into their broader information security management systems, leading to more efficient and effective security processes.

8. Facilitated International Business: Compliance with an international standard can simplify the legal complexities of providing services across borders, as it reassures clients that the provider adheres to globally recognized security practices.

Overall, ISO/IEC 27017 helps organizations ensure that their cloud computing services are secure, reliable, and trustworthy, which is crucial in today's digital and often regulatory complex market environment.

How to implement the ISO 27017?

Implementing ISO/IEC 27017 effectively requires careful planning, coordination, and alignment with existing security practices, particularly if your organization is also aligning with other standards like ISO/IEC 27001. Here’s a step-by-step approach to implementing ISO/IEC 27017:

1. Understand and Assess Existing Controls

• Baseline Assessment: Review current security controls and practices, especially those related to cloud computing, against ISO/IEC 27017 guidelines. Identify gaps between current practices and the standard’s requirements.
• Awareness: Ensure that all stakeholders, including management and IT staff, understand the importance of ISO 27017 and its relevance to your operations.

2. Plan the Implementation

• Set Objectives: Define what you want to achieve with the ISO 27017 implementation, such as improving cloud security, enhancing compliance, or improving customer confidence.
• Project Planning: Develop a project plan that includes tasks, timelines, responsibilities, and resources. Consider integrating ISO 27017 controls into the existing Information Security Management System (ISMS) if you are already compliant with ISO/IEC 27001.

3. Define Roles and Responsibilities

• Clarify Responsibilities: Define clear roles and responsibilities for cloud security management, distinguishing between the duties of the cloud service provider and the cloud service customer as applicable.
• Engagement: Engage both internal stakeholders and external cloud service providers in the process to ensure alignment and commitment.

4. Update Policies and Procedures

• Policies: Revise existing security policies or develop new ones that include cloud-specific considerations, guided by ISO/IEC 27017.
• Procedures: Update operational procedures to incorporate the cloud-specific controls and practices recommended by ISO/IEC 27017.

5. Implement Controls

• Control Implementation: Apply the additional controls and enhancements recommended by ISO/IEC 27017 for cloud services.
• Integration: Ensure these controls are integrated with the broader security controls framework effectively, particularly if using hybrid or multiple cloud environments.

6. Training and Awareness

• Training Programs: Conduct training sessions to educate employees about cloud security risks and the specific controls implemented.
• Continuous Awareness: Foster an ongoing awareness and understanding of cloud security best practices among all employees.

7. Monitor and Review

• Continuous Monitoring: Set up processes for the ongoing monitoring and evaluation of cloud security controls to ensure they are effective and comply with ISO/IEC 27017.
• Audits and Reviews: Schedule regular audits to assess compliance with the standard and to identify opportunities for improvement.

8. Prepare for Certification

• Internal Audit: Conduct a thorough internal audit to check for readiness against ISO/IEC 27017 requirements.
• Gap Analysis and Remediation: Address any gaps identified during the internal audit.
• Certification Audit: Engage an accredited certification body to perform the formal certification audit.

9. Continuous Improvement

• Feedback Mechanisms: Implement feedback mechanisms to capture insights and lessons from the implementation process.
• Iterative Improvements: Use these insights to continuously improve cloud security practices and align with evolving standards and technologies.

By following these steps, your organization can effectively implement ISO/IEC 27017 and strengthen the security of cloud services, enhancing both compliance and confidence among your customers and stakeholders.