ISO 27017: cloud protection essentials

ISO 27017 emerged from the ISO 27000 family of security standards. ISO experts realized that existing standards like ISO 27001 and ISO 27002 failed to protect cloud data. ISO 27017 adds seven new controls for the cloud and supplements ISO 27002 with implementation guidance on applying 37 core information security controls.

It is important to note that cloud services cannot use ISO 27017 as an overarching standard to develop an Information Security Management System—a role performed by ISO 27001. ISO 27017 provides up-to-date implementation guidance for users and providers of cloud services.

Is ISO 27017 a certification?

There is no independent ISO 27017 certification. Cloud service providers and users cannot use the standard alone as evidence of robust security practices. However, ISO 27017 can form part of a broader ISO 27001 certification process.

During the ISO 27001 assessment, companies can choose to implement ISO 27017 information security controls. Adding ISO 27017 controls into the project scope shows that an organization takes cloud security seriously and treats it as a stand-alone challenge. Certification bodies assess information security controls against ISO 27017 standards, providing independent cloud security verification.

ISO 27017 benefits for cloud service providers

ISO 27017 is becoming increasingly important as users rely on third-party cloud service providers and outsourced digital technology. The standard also has many benefits for CSPs that sell cloud-based products.

Advantages of ISO 27017 for cloud services include:

Security assurance for customers

Following ISO 27017 guidance assures buyers that cloud vendors take information security seriously. Companies know they can trust compliant partners with their data. Cloud services can form long-lasting commercial relationships and develop an information security-conscious brand identity.

Clarity about security roles

ISO 27017 helps cloud service providers define their security responsibilities. CSPs can dedicate sufficient resources to protect their assets and infrastructure. Users know their role in protecting data and managing access to cloud services.

Managing data breach risks

Correctly implemented ISO 27017 information security techniques cut the risk of data breaches via CSPs. Organizations must create and follow strategic plans to protect user data. The guidance also requires strict risk assessment procedures for all critical assets.

Updating previous ISO certification

Existing ISO 27001 implementations may require modernization as companies migrate to cloud-based systems. ISO 27017 supplements ISO 27001, making it easier to secure virtualized environments and move data safely.

Global security assurance

ISO 27017:2015 is a widely recognized international standard. Companies can implement the ISO's recommended information security controls to design a cloud environment that meets security standards in all jurisdictions.

Overall security management

ISO 27017 takes a holistic view of cloud security controls. Cloud service providers can create information security management systems that cover all assets and potential threats. This security framework allows sustainable threat management over the long term and assures stakeholders that the organization controls cloud-hosted data and apps.

ISO 27017: understanding the latest update

The latest version of ISO's cloud security framework is ISO IEC 27017:2015. Security experts reviewed the 2015 framework in 2021, confirming that it met information security needs and remained effective.

It's important to remember that ISO regulations periodically change to reflect state-of-the-art security techniques. ISO 27017 is currently under review and will be replaced by a new standard, ISO IEC CD 27017. However, until this new draft is published, ISO IEC 27017 2015 remains the relevant framework.

List of ISO 27017 controls

ISO 27017 functions around a register of information security controls. These controls could be technical, physical, or administrative. Each control safeguards data and should be implemented in accordance with the organization's risk assessment processes.

ISO IEC 27017:2015 added seven additional security controls to those in ISO 27002. These new cloud computing controls include:

• Monitoring cloud computing services to detect threats
• Defining roles and responsibilities of users and service providers
• Secure removal of customer assets in virtual environments
• Creating segregated virtual environments for a customer's virtual environment
• Hardening virtual machines to prevent data breaches
• Securing administrative operations
• Aligning the security of physical and virtual networks
  
  

The seven controls above relate exclusively to securing a cloud computing environment. They supplement the ISO 27001 and 27002. Implementation guidance in the ISO 27017 framework also builds on 37 ISO 27002 information security controls, making them more relevant for cloud services.

Steps to ISO 27017 compliance

Aligning cloud security controls with ISO best practices is advisable for CSPs and organizations that rely on cloud technology.

Compliance pathways vary depending on the type of virtual environments, data processing needs, and project scope. However, a typical compliance process would proceed like this:

Gain ISO 27001 certification

Firstly, cloud services should achieve ISO 27001 certification. Compliance requires designing, creating, and maintaining a sustainable information security management system (ISMS). An ISO 27001-compliant ISMS is the foundation for robust ISO 27017 compliance.

Plan and implement ISO 27017 security controls

The next step involves implementing all ISO 27002 information security controls and the seven controls that are exclusive to the ISO 27017 framework. Best practices to follow here include:

• Assess cloud-specific risks. For instance, companies must manage access to prevent unauthorized sharing or viewing of private data. Handling cloud data breach risks requires specialist technical controls.
• Clearly define user and customer roles. Information security policies should explain who is responsible for protecting data and assets in the cloud.
• Control user access. Use multi-factor authentication, firewalls, and role-based access management to keep sensitive data off-limits. Provide minimal access for each user based on legitimate business needs. Apply additional security controls for administrative operations.
• Encrypt data at rest on cloud servers. Use strong encryption and secure key management to defend cloud storage servers. Encrypt data in transit and record encryption tools with clear policy documents.
• Use secure configuration management. Keep all cloud infrastructure and apps under review. Check every virtual machine configuration to prevent security vulnerabilities.
• Use robust data segregation. CSPs must segregate every customer's virtual environment from other users.
• Implement activity monitoring. Monitor user activity and data movements to detect and neutralize threats. Maintain activity logs for security audits. Use cloud customer monitoring data to improve security controls.
• Create cloud incident response plans. Create incident response plans to protect and restore cloud services. Test responses regularly and create communication processes with clients and other stakeholders.
• Backup critical data. Back up user data as part of incident recovery processes. Test data backups to maximize the availability of cloud services during security alerts.
• Provide information security training. ISO 27017 requires companies to educate staff in secure cloud computing practices.

Update your ISO 27001 certification

Companies cannot apply for a specialist ISO 27017 certification. Instead, organizations must re-apply for ISO 27001 certification. This fresh certification must include relevant ISO 27017 controls within the audit scope. Assessors will analyze cloud security systems and ensure they meet ISO 27017 standards.

Put in place continuous compliance

ISO 27001 (and 27017) certification is valid for three years. Companies must then renew their certification with a new audit process. In the meantime, organizations should implement regular monitoring and cloud security audits. They should update security controls as their cloud environment or data processing needs change.

Differences between ISO 27017 and ISO 27018

ISO 27017 is not the only ISO document related to cloud computing. Organizations may also encounter ISO 27018 when securing their cloud environment, which can lead to confusion. However, the two frameworks play very different information security roles.

ISO 27018 seeks to protect personally identifiable information (PII) in cloud environments. PII includes data that can identify individuals. ISO 27018 recommends ways to guard PII on virtual and physical networks, enabling companies to comply with privacy and data protection regulations.

ISO 27018 suits cloud service providers that collect, store, or process personal data and have concerns about GDPR or HIPAA compliance.

ISO 27017 is a more comprehensive guide to securing a cloud environment. Recommended controls address cloud-specific issues like virtual machine configuration. Companies should use ISO 27017 to update their data security techniques while migrating to the cloud, and CSPs can use the standard to design secure cloud services.

Both ISO 27017 and ISO 27018 defend cloud assets against digital threats, whether they are internal or external. If your organization delivers cloud services or uses cloud service providers to host data, ISO 27017 compliance could be a wise move. Explore your options and refine your cloud security with the leading international standard.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.