ISO 27017 – what is it and why should your company be aware of it?

Cloud computing has become an integral part of everyday business life. We store documents in the cloud, communicate via it and run applications on it. However, as our reliance on cloud services has grown, a question has emerged that more and more organisations are asking themselves: who is actually responsible for the security of our data in the cloud?

The answer – at least in terms of standards and best practices – is the ISO/IEC 27017 standard.

Where does it come from and what does it regulate?

ISO 27017 is a standard published by the International Organisation for Standardisation (ISO) in collaboration with the International Electrotechnical Commission (IEC). Its full title is ISO/IEC 27017:2015 – Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services.

The standard did not arise in a vacuum – it is an extension of the well-known ISO 27001 and ISO 27002 standards, supplemented with guidelines specific to cloud environments. This means that organisations already working with an information security management system have a solid foundation for its implementation.

What exactly does it cover?

ISO 27017 addresses areas that were overlooked or treated too broadly in the traditional approach to IT security – because the cloud operates according to its own rules.

The standard provides guidance on, amongst other things:

• access control to cloud resources and identity management,
• the division of responsibility between the service provider and the customer,
• activity monitoring and the detection of unauthorised activities,
• data protection during processing, transmission and storage in the cloud.

Who is this standard for?

This is one of the greatest advantages of ISO 27017 – the standard is tailored to both sides of the cloud relationship at the same time. It applies to both cloud service providers (CSPs) and their customers (CSCs).

This ensures that both parties operate within a shared framework of language and expectations. The provider knows what they must deliver. The customer knows what they can expect. It is a simple recipe for more transparent and secure business relationships.

Summary

ISO 27017 is the industry’s response to one of the greatest challenges of digital transformation – how to ensure data security when the infrastructure is no longer solely under our control. If your company uses the cloud – and statistically, it almost certainly does – it is worth knowing that there is a standard that brings order to this area and provides concrete tools for action.