ISO 27017 is a relatively new publication from the International Organization for Standardization (ISO) dealing specifically with cloud computing.
ISO 27017 works alongside with several other ISO standards. These include:
In practical terms, ISO 27017 builds on ISO 27002: it gives extra detail for some of the security controls and adds some new controls, both to increase relevance to the cloud computing sector.
The guidance in ISO 27017 is designed for both providers and customers of cloud services. It notes that the way cloud computing works means its possible to have a supply chain in which the same organisation can be both a cloud service customer and a cloud service providers.
ISO 27017 was developed to reflect what it lists as “significant changes in how computing resources are technically designed, operated and governed.” It also notes that it’s not just a matter of cloud service providers maintaining security. Instead, customers will need to assess the provider’s security controls and it’s possible the customer may then have to adjust its own activities to meet its security requirements.
ISO 27017 has a similar structure to ISO 27002, namely a checklist format of possible security controls. Individual organisations may need to decide which of these controls are relevant to their situation, which may depend on their status as cloud service provider, customer or both. Some controls apply in the same way to providers and customers while others have separate entries.
The most significant cloud-specific guidance that ISO 27017 adds to ISO 27002 addresses backups. It says that:
Some of the suggested points to address in the specification include:
The most significant new control in ISO 27017 regards segregation in virtual computing environments. They key principle is that the customer’s virtual environment be protected from unauthorised access, including by other customers. This requires “appropriate logical segregation” of data and resources as well as taking into account the risks of allowing customers to run their own software.