Codes of practice

ISO/IEC 27017 Information Security Controls for Cloud Services

The Team
April 16, 20244 minute read
Eye And Fingerprint Recognition

ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services gives guidelines for information security controls applicable to the provision and use of cloud services. It does so by providing additional implementation guidance for relevant controls specified in ISO/IEC 27002 and additional controls with implementation guidance that specifically relate to cloud services. The standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

The standard was last reviewed and confirmed in 2021; therefore, this version remains current.

Table of Contents

Introduction
1 Scope
2 Normative references
2.1 Identical Recommendations | International Standards
2.2 Additional References
3 Definitions and abbreviations
3.1 Terms defined elsewhere
3.2 Abbreviations
4 Cloud sector-specific concepts
5 Information security policies
6 Organization of information security
7 Human resource security
8 Asset management
9 Access control
10 Cryptography
11 Physical and environmental security
12 Operations security
13 Communications security
14 System acquisition, development and maintenance
15 Supplier relationships
16 Information security incident management
17 Information security aspects of business continuity management
18 Compliance
Annex A Cloud service extended control set
CLD.6.3 Relationship between cloud service customer and cloud service provider
CLD.8.1 Responsibility for assets
CLD.9.5 Access control of cloud service customer data in shared virtual environment
CLD.12.1 Operational procedures and responsibilities
CLD.12.4 Logging and monitoring
CLD.13.1 Network security management
Annex B References on information security risk related to cloud computing
ISO/IEC 27017:2015

Applying ISO/IEC 27017

Implementing information security controls for cloud services in conformity with ISO/IEC 27017 involves several key steps.

Here are those steps.

Leadership and Commitment

  • Demonstrate leadership commitment to information security within the organization, particularly in the context of cloud services.
  • Establish an information security policy that aligns with organizational goals and includes specific considerations for cloud services.

Scope and Context

  • Determine the scope of information security controls for cloud services.
  • Understand the internal and external context, including legal and regulatory requirements related to cloud security.

Legal and Regulatory Compliance

  • Identify and comply with relevant legal and regulatory requirements specific to cloud services.
  • Stay informed about changes in legislation that may impact cloud security practices.

Risk Assessment and Management

  • Identify and assess security risks associated with the organization’s use of cloud services.
  • Develop risk mitigation strategies and controls to manage and reduce security risks in the cloud environment.

Security Policy for Cloud Services

  • Develop an information security policy specifically tailored for cloud services.
  • Define roles and responsibilities related to cloud security, including those of the cloud service provider and the organization.

Cloud Service Provider Selection

  • Establish criteria for selecting cloud service providers based on security requirements.
  • Conduct due diligence assessments to evaluate the security capabilities of potential cloud service providers.

Contractual Agreements

  • Negotiate and establish contractual agreements with cloud service providers that include specific security requirements and assurances.
  • Define service level agreements (SLAs) related to security, data protection, incident response, and compliance.

Access Controls and Authentication

  • Implement access controls and authentication mechanisms to ensure that only authorized individuals have access to cloud resources and data.
  • Utilize strong authentication methods such as multi-factor authentication (MFA) for accessing cloud services.

Data Encryption and Privacy

  • Implement encryption mechanisms to protect data at rest, in transit, and during processing within the cloud environment.
  • Ensure compliance with data privacy regulations and standards applicable to the organization’s data stored in the cloud.

Monitoring and Logging

  • Implement monitoring and logging capabilities to track and analyze activities within the cloud environment.
  • Monitor for suspicious or unauthorized behavior, security incidents, and compliance violations.

Incident Response and Management

  • Develop and implement incident response procedures specific to cloud security incidents.
  • Establish communication channels and procedures for reporting and responding to security incidents involving cloud services.

Security Awareness and Training

  • Provide security awareness training to employees and stakeholders regarding the unique security considerations associated with cloud services.
  • Educate users on best practices for securely using cloud resources and data.

Third-Party Audits and Certification

  • Seek third-party audits and certifications for cloud service providers to verify compliance with security standards and best practices.
  • Review audit reports and certifications to ensure alignment with organizational security requirements.

Continual Monitoring and Improvement

  • Implement processes for continual monitoring of cloud security controls and performance.
  • Regularly review and update security controls based on changes in technology, threats, and business requirements.

Documentation and Record-Keeping

  • Develop and maintain documentation related to cloud security policies, procedures, and controls.
  • Keep records of security assessments, audits, incidents, and compliance documentation.

In conclusion…

By following these steps, organizations can effectively implement information security controls in respect of cloud services in accordance with ISO/IEC 27017. Regular reviews and updates are essential to ensure the continued effectiveness and relevance of cloud security practices.

ISO/IEC 27017 can be purchased through the ISO.org website.

Keywords
Share this Article
Further Reading
Trending Articles
ISO 45001 Occupational Health & Safety Management Systems
September 12, 2024

ISO 45001 Occupational Health & Safety Management Systems

Quality Control
April 15, 2024

ISO 9001 Quality Management Systems

ISO 19650-1 Building Information Modelling — Concepts & Principles
April 15, 2024

ISO 19650-1 Building Information Modelling — Concepts & Principles

Medical Device
April 15, 2024

ISO 14971 Medical Devices Risk Management

CCTV
April 15, 2024

ISO 18788 Management System for Private Security Operations

Logistics
April 15, 2024

ISO 23354 Business Requirements for End-to-End Visibility of Logistics Flow

No Comments

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

FREE SELF-AUDIT TOOL

Our self-audit tool is designed to help organizations evaluate their conformity with the requirements of an ISO management system standard. It provides a structured approach to assess compliance, identify gaps, and implement improvements.
Download your free copy of the self-audit tool from here (.pdf).

Back To Top