ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services gives guidelines for information security controls applicable to the provision and use of cloud services. It does so by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002 and additional controls with implementation guidance that specifically relate to cloud services. The standard provides controls and implementation guidance for both cloud service providers and cloud service customers.
The standard was last reviewed and confirmed in 2021; therefore, this version remains current.
Table of Contents
Introduction |
1 Scope |
2 Normative references |
2.1 Identical Recommendations | International Standards |
2.2 Additional References |
3 Definitions and abbreviations |
3.1 Terms defined elsewhere |
3.2 Abbreviations |
4 Cloud sector-specific concepts |
5 Information security policies |
6 Organization of information security |
7 Human resource security |
8 Asset management |
9 Access control |
10 Cryptography |
11 Physical and environmental security |
12 Operations security |
13 Communications security |
14 System acquisition, development and maintenance |
15 Supplier relationships |
16 Information security incident management |
17 Information security aspects of business continuity management |
18 Compliance |
Annex A Cloud service extended control set |
CLD.6.3 Relationship between cloud service customer and cloud service provider |
CLD.8.1 Responsibility for assets |
CLD.9.5 Access control of cloud service customer data in shared virtual environment |
CLD.12.1 Operational procedures and responsibilities |
CLD.12.4 Logging and monitoring |
CLD.13.1 Network security management |
Annex B References on information security risk related to cloud computing |
Applying ISO/IEC 27017
Implementing information security controls for cloud services in conformity with ISO/IEC 27017 involves several key steps.
Here are those steps.
Leadership and Commitment
- Demonstrate leadership commitment to information security within the organization, particularly in the context of cloud services.
- Establish an information security policy that aligns with organizational goals and includes specific considerations for cloud services.
Scope and Context
- Determine the scope of information security controls for cloud services.
- Understand the internal and external context, including legal and regulatory requirements related to cloud security.
Legal and Regulatory Compliance
- Identify and comply with relevant legal and regulatory requirements specific to cloud services.
- Stay informed about changes in legislation that may impact cloud security practices.
Risk Assessment and Management
- Identify and assess security risks associated with the organization’s use of cloud services.
- Develop risk mitigation strategies and controls to manage and reduce security risks in the cloud environment.
Security Policy for Cloud Services
- Develop an information security policy specifically tailored for cloud services.
- Define roles and responsibilities related to cloud security, including those of the cloud service provider and the organization.
Cloud Service Provider Selection
- Establish criteria for selecting cloud service providers based on security requirements.
- Conduct due diligence assessments to evaluate the security capabilities of potential cloud service providers.
Contractual Agreements
- Negotiate and establish contractual agreements with cloud service providers that include specific security requirements and assurances.
- Define service level agreements (SLAs) related to security, data protection, incident response, and compliance.
Access Controls and Authentication
- Implement access controls and authentication mechanisms to ensure that only authorized individuals have access to cloud resources and data.
- Utilize strong authentication methods such as multi-factor authentication (MFA) for accessing cloud services.
Data Encryption and Privacy
- Implement encryption mechanisms to protect data at rest, in transit, and during processing within the cloud environment.
- Ensure compliance with data privacy regulations and standards applicable to the organization’s data stored in the cloud.
Monitoring and Logging
- Implement monitoring and logging capabilities to track and analyze activities within the cloud environment.
- Monitor for suspicious or unauthorized behavior, security incidents, and compliance violations.
Incident Response and Management
- Develop and implement incident response procedures specific to cloud security incidents.
- Establish communication channels and procedures for reporting and responding to security incidents involving cloud services.
Security Awareness and Training
- Provide security awareness training to employees and stakeholders regarding the unique security considerations associated with cloud services.
- Educate users on best practices for securely using cloud resources and data.
Third-Party Audits and Certification
- Seek third-party audits and certifications for cloud service providers to verify compliance with security standards and best practices.
- Review audit reports and certifications to ensure alignment with organizational security requirements.
Continual Monitoring and Improvement
- Implement processes for continual monitoring of cloud security controls and performance.
- Regularly review and update security controls based on changes in technology, threats, and business requirements.
Documentation and Record-Keeping
- Develop and maintain documentation related to cloud security policies, procedures, and controls.
- Keep records of security assessments, audits, incidents, and compliance documentation.
In conclusion…
By following these steps, organizations can effectively implement information security controls in respect of cloud services in accordance with ISO/IEC 27017. Regular reviews and updates are essential to ensure the continued effectiveness and relevance of cloud security practices.
ISO/IEC 27017 can be purchased through the ISO.org website.
Comments (0)