ISO 27017
ISO/IEC 27017 is an international standard that provides guidelines for the information security of cloud services by extending the foundational standards ISO 27001 and 27002 with specific controls and guidance for cloud providers and customers to address cloud-specific risks such as shared responsibilities, multi-tenancy, and virtualization. It proposes additional measures and helps establish consistent security standards to ensure trust and security in the cloud.
What ISO 27017 does:
Extension for the cloud: Adds specific controls not fully covered in ISO 27002.
Target audience: Targets cloud service providers (CSPs) and their customers.
Includes: Additional controls for 37 existing ISO 27002 controls and 7 new, cloud-specific controls (CLDs).
Benefits: Provides a framework for aligning security management across virtual and physical networks, reduces risks, and standardizes provider-customer relationships.
Certification: Enables certification that demonstrates compliance with international security standards for cloud services, often as an extension of an existing ISO 27001 certification.
Key Aspects:
Shared Responsibility: Highlights the shared responsibility of providers and customers in the cloud.
Cloud Risks: Addresses risks such as virtualization, multi-tenancy, and asset management in the cloud.
In Summary:
ISO 27017 is the gold standard for cloud security, applying general information security (ISO 27001/27002) to the specific requirements of cloud services and creating a trusted environment for cloud usage.