ISO 27017:2015

The primary features of ISO 27017:2015 can be resolved into the below-mentioned points:

ISO/IEC 27017 is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security problems. It is part of the ISO/IEC 27000 family of standards, standards which provides best practice recommendations on information security management. This standard was built from ISO/IEC 27002, suggesting additional security controls for the cloud which were not completely defined in ISO/IEC 27002.

This International Standard provides guidelines supporting the implementation of information security controls for cloud service customers, who implement the controls, and cloud service providers to support the implementations of those controls. The selection of appropriate information security controls and the application of the implementation guidance provided will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector-specific information security requirements.

7 additional controls related to cloud services which address the following:

• Who is responsible for what between the cloud service provider and the cloud customer.
• The removal or return of assets at the end of a contract.
• Protection and separation of the customer’s virtual environment.
• Virtual machine configuration.
• Administrative operations and procedures associated with the cloud environment.
• Cloud customer monitoring of activity.
• Virtual and cloud network environment alignment.

Any organisation which provides cloud-based services can benefit from ISO/IEC 27017 certification – from online email providers and document management platforms to cloud-based apps and tools. It demonstrates to customers that you are following the most stringent cloud services security standards and have processes in place to manage any unforeseen problems.

If your organisation provides cloud services your customers will want assurances that their data, documents, messages and activity are protected under any circumstances. They will also want evidence that they will be able to retrieve and move their data whenever they wish. ISO/IEC 27017 cloud standard gives them that confidence.
Becoming ISO/IEC 27017 certified provides multiple benefits:

• Reduces operational risk 
  By adhering to the ISO/IEC 27017 guidelines you can efficiently analyse vulnerabilities and mitigate against data breaches, as well as regulatory fines and penalties.
• Win market trust 
  An independent third-party assessment demonstrates your commitment to global information security practices. Winning stakeholder confidence delivers you a competitive advantage as potential investors and customers identify you as a responsible partner.
• Define and clarify responsibilities
  ISO/IEC 27017 clearly outlines the exact relationship, roles, rights and responsibilities between cloud service customers and cloud service providers, enabling you to become a preferred CSP and expand your business globally.

Ever more businesses are offering cloud-based services to customers, and so purchasing departments increasingly demand evidence that data stored on those cloud servers is safe. ISO/IEC 27017 is a set of guidelines for safeguarding cloud-based environments and minimising the potential risk of security incidents.