To protect physical networks and virtual cloud infrastructure, cloud service providers and clients can follow the requirements provided by ISO/IEC 27017, a compliance framework. The international standard guides enterprises in two areas: it outlines controls particular to cloud settings and helps them apply Information Security Management Systems (ISMS) controls as specified in ISO 27002.
Concerning data security, privacy, and compliance, cloud computing poses additional risks and difficulties. A specialized framework with cloud-specific security measures is provided by ISO 27017 to solve these challenges. It assists businesses in determining and putting into place the best safeguards to preserve their assets and data when utilizing cloud services. Additionally, ISO 27017 helps cloud service providers (CSPs) and their clients build openness and confidence.
Scope of ISO/IEC 27017
For cloud service providers who have an Information Security Management System in place that complies with ISO 27001 requirements, ISO 27017 is applicable. The framework assesses how well 37 controls under ISO/IEC 27002 are implemented; the organization makes its choice based on risk assessment. The provider should be able to provide, in ISO 27017 documentation, a hierarchy of roles and responsibilities to their customers. Additionally, it assesses the following seven controls that are particular to cloud service providers and distinct from others:
- The obligations and functions that clients and service providers have about cloud computing and security
- Data deletion and recovery upon client contract termination
- Safeguarding and dividing one customer’s virtual environment from another
- The process of machine hardening or reducing the surface of vulnerability by business needs
- The duties associated with the administrative role’s operations
- The capability to activate cloud-based client tracking
- Security management systems for both real and virtual cloud computing environments aligned
What are Some Key Provisions Outlined in ISO 27017?
For several of the essential elements of ISO 27002, ISO 27017 often specifies extra standards. Moreover, these specifications will be separated such that they pertain to both cloud service customers (CSC) and providers (CSPs). Companies that offer cloud computing services to consumers and organizations are known as cloud service providers or CSPs for short. A business or individual using these services is referred to as a cloud service customer (CSC). Customers and providers of cloud services differ in the following important ways:
- Ownership and Control: The cloud service providers own and control the cloud infrastructure like servers, storage, and networking equipment while the customers do not own or control this infrastructure.
- Service Level Agreements: The SLAs specify the level of quality of service that the client can anticipate, and it is the cloud service provider’s responsibility to adhere to them. The vendor of cloud services must fulfil certain SLAs for the customer.
- Data Security and Privacy: The data handled and stored on the cloud service provider’s infrastructure must be safeguarded and protected. It is the cloud service customer’s responsibility to make sure that their procedures and the data they store are safe and compliant with laws.
- Expense Structure: The cloud service provider bills the cloud service client for their services, typically on a subscription or pay-per-use basis.
- Customization: A standardized set of somewhat customizable is provided by the cloud service provider, and the cloud service user can tailor how these services are used to meet their requirements.
In general, the infrastructure, platform, or software as a service is provided by the cloud service provider, and it is the responsibility of the cloud service user to use these services to suit their business needs.
Although one may assume that a cloud service user would not be subject to compliance regulations, the evolution of managed services has changed our knowledge of the interplay between various data-handling systems. In this instance, it’s important to remember that a user of a cloud service via a provider needs to take particular precautions to safeguard their data.
Information Security System Certification 27001 