What Is ISO 27017 and How Does it Inform Cloud Security?

ISO 27017 featured

As cloud computing continues gaining popularity, organizations increasingly turn to cloud services to store and process their data. However, with this increased reliance on cloud services comes a heightened risk of data breaches and cyber attacks, making cloud security a critical concern for businesses of all sizes.

To address these concerns, the International Organization for Standardization (ISO) has published a code of practice for information security controls for cloud services–ISO 27017. This standard provides guidelines and general principles for securing cloud-based systems and protecting against potential security threats.

This article will explore the critical components of ISO 27017 and their importance in securing cloud-based systems. We will also discuss some of the best practices for implementing ISO 27017 in your organization and the benefits that it can provide. Finally, we will examine some challenges organizations may face when implementing ISO 27017 and guide them on overcoming them.


What Is ISO 27017?

ISO 27017 is a collection of requirements and best practices for implementing information security controls for cloud services as a supplement for other publications within the ISO 27000 series–specifically, ISO 27002. 

ISO 27002 is a general code of practice for information security management that covers a wide range of information security controls and best practices that can be applied in any organization. ISO 27002 is intended to be used with ISO/IEC 27001, the standard for information security management systems.

ISO 27017, on the other hand, provides cloud-specific information security controls that supplement the controls of ISO/IEC 27001 and ISO 27002. The controls provided in ISO 27017 are intended to help cloud service providers and customers secure their data and systems in the cloud environment.


What Are Some of the Key Provisions Outlined in ISO 27017?

Maintain Cloud Security on Both Ends with Lazarus Alliance.

#lazarusalliance #continuumgrc #iso27001 #iso27701

ISO 27017 generally provides additional requirements to some of the key components of ISO 27002. It will also divide these requirements such that they apply to a Cloud Service Provider (CSP) and a Cloud Service Customer (CSC).

A cloud service provider (CSP) is a company that provides cloud computing services to businesses and individuals. In contrast, a cloud service customer (CSC) is a business or individual that uses these services.

Here are some of the key differences between cloud service customers and providers:

  • Ownership and Control: The cloud service provider owns and controls the cloud infrastructure, such as servers, storage, and networking equipment, while the customer does not own or control this infrastructure.
  • Service Level Agreements: The cloud service provider is responsible for meeting the SLAs, which define the quality of service that the customer can expect. The cloud service customer relies on the provider to meet these SLAs.
  • Data Security and Privacy: The cloud service provider is responsible for securing and protecting the data stored and processed on their infrastructure. The cloud service customer is responsible for ensuring that the data they store and the process comply with regulations and are secure.
  • Cost Structure: The cloud service provider charges the cloud service customer for their services, usually on a pay-per-use or subscription basis.
  • Customization: The cloud service provider provides a standardized set of services that can be customized to some extent, while the cloud service customer can customize their use of these services to fit their specific needs.

        Overall, the cloud service provider is responsible for providing the infrastructure, platform, or software as a service, while the cloud service customer is responsible for using these services to meet their business needs.

        While you might think that a cloud service customer wouldn’t have responsibilities under a compliance regulation, the changing landscape of managed services has shifted our understanding of how different data-handling systems interact. In this case, it’s critical to note that someone using a cloud service through a provider has to take specific steps to protect their data, and these steps cannot be offloaded entirely onto the provider. 

        Generally, you’ll see specific guidance provided for each category:


        Cloud Service Providers

        CSPs typically have requirements that revolve around properly implementing security systems, reporting mechanisms, and (most importantly) informing customers about critical people, configurations, and events related to their service. 

        • Provisioning: Cloud service providers should have security in place to address the provisioning of cloud resources with multiple tenants. This security must address common IT vulnerabilities like inside sources, virtualization, asset protection, identity and access management, and so on.
        • Documentation of Roles and Responsibilities: The provider should be able to provide, in documentation, a hierarchy of roles and responsibilities to their customers. 
        • Employee Training: All providers should give their employees ongoing training and education on the proper handling of customer data, expressly confidential or regulated data. 
        • Inventories: Providers must maintain and provide, when necessary, inventories that identify both cloud service customer data and service-derived data.
        • Access Rights and Provisioning: Cloud providers should have documented and implemented identity and access management (IAM) systems that secure provisioned cloud services across tenets. These systems should be described in detail to the customers so that they can understand how those impact cloud security.
        • Security and Resilience: Cloud Providers should regularly communicate their security and backup capabilities to customers, including access and identity management, cryptography, backups and recovery systems, etc.
        • Changes and Updates: All changes that can impact cloud service and security must be communicated to the customer in a timely manner, in such a way that highlights how that impact will affect specific customer data and systems. 
        • Legal Jurisdictions and Geography: Cloud providers must provide accurate geographical and jurisdictional information to customers and how they relate to issues of regulatory requirements, compliance standards, or industry-specific security frameworks.


          Cloud Customers

          On the other hand, customers must take responsibility for ensuring that they understand the CSP’s capabilities and jurisdictions and that both align with their business and IT goals. 

          • Policies: Cloud customers must create and maintain policies specifically addressing cloud computing, including the capabilities and vulnerabilities of their provider. This policy must consider the types of data stored in the cloud, how the provider can access that information, who administers that information, etc.
          • Compliance and Geography: Customers should be able to understand where a provider stores data and how that impacts compliance and regulatory requirements.
          • Education and Inventories: To maintain the security and privacy of their data, customers should implement ongoing education on how to use cloud services properly. As part of this task, they also should maintain inventories of data stored in the cloud, where that data is stored, and whether or not that storage is sufficient for business needs.
          • Labeling: Customers should label any data stored in the cloud based on the inventories created and including any additional information from the cloud service provider. 
          • Verification: It is incumbent on a cloud customer to understand and verify any cloud components that may impact security or compliance (such as jurisdiction, geography, encryption, access control, etc.). 
          • Reporting: Customers should request information from the provider related to reporting security events (detected by either the customer or the provider) and tracking such reports through a ticketing system or another mechanism. 

          Note that this list isn’t exhaustive, and there are several overlapping considerations that providers and customers must take into account to utilize cloud infrastructure best. 


          Maintain Cloud Security on Both Ends with Lazarus Alliance.

          Are you seeking compliance with ISO 27017 or strengthening cloud security overall? Contact Lazarus Alliance to work with our team of security experts.

          Are you ready to take control of your cybersecurity? Contact Lazarus Alliance.

          Lazarus Alliance