ISO/IEC 27017:2015 - Information technology — Security techniques Code of practice for information security controls based on ISO/IEC 27002 for cloud services

What is ISO 27017 Compliance?

ISO 27017: 2015 standard is a comprehensive framework for cloud security that focuses on providing guidance for information technology controls and security techniques specifically tailored for cloud services. It offers additional controls beyond those in ISO/IEC 27002, with a total of 37 controls based on ISO 27002 and 7 exclusive controls. These controls cover key areas such as shared roles and responsibilities within a cloud computing environment, removal and retrieval of customer assets post-contract termination, and much more. ISO 27017 is designed to help organizations, both cloud service providers and cloud service customers, enhance their security posture in the cloud environment and reduce the risk of security breaches.

Scope of ISO 27017 Compliance

ISO 27017 is applicable to cloud service providers that have implemented an Information Security Management System according to the requirements set forth in ISO 27001. Additionally, it evaluates seven controls that are unique to cloud service providers:

• The roles and responsibilities of customers and service providers concerning cloud computing and security.
• The deletion and retrieval of data upon the termination of customer contracts.
• Ensuring the protection and isolation of a customer’s virtual environment from others.
• Implementing machine hardening practices or minimizing the vulnerability surface in line with business needs.
• Defining the operational responsibilities of administrators.
• Facilitating monitoring capabilities for cloud customers.
• Aligning security management practices for both physical and virtual cloud computing environments.

Role of ISO 27017 in Cloud Security

ISO 27017 plays a critical role in strengthening cloud security by offering a specialized set of guidelines tailored for cloud environments. Building on the Information Security Management System (ISMS) foundation of ISO 27001, ISO 27017 provides specific controls that address unique challenges in the cloud. These include safeguarding data privacy, ensuring secure data deletion upon contract termination, and protecting virtual environments from unauthorized access or data breaches. It also clarifies the responsibilities of both cloud providers and customers, enhancing accountability and establishing best practices for monitoring and managing cloud infrastructure security. By adopting ISO 27017, organizations can better manage cloud security risks, foster customer trust, and comply with international standards, ensuring a more resilient cloud ecosystem.

Certification process

• Complete a profiling form to customize a quote for your organization detailing the cost, planning and time required.
• Conduct a pre-audit to determine if your organization already fulfills the requirements for the standard and identify areas for improvement.
• Stage 1 site visit by our auditors to verify the profile submitted during your application and determine your readiness for Stage 2.
• Stage 2 on-site audit by MOODY auditors.
• Propose and implement corrective actions, if any.
• Receive your audit report and certificate from the committee.

Why choose MOODY?

MOODY is a global leader in management systems solutions, having issued various management systems certifications to date. Our dedicated and experienced auditors across the globe can speak your language and help you explore the ISO/IEC 27017:2015 - Information technology — Security techniques Code of practice for information security controls based on ISO/IEC 27002 for cloud services certification initiative with other management systems. We can also act as a one-stop provider for all your quality certification needs by offering bundled product testing and certification services. With the MOODY certification mark, you demonstrate your commitment to delivering quality products and services.