ISO 27017: Security Controls for Cloud Services
What is ISO 27017?
ISO/IEC 27017 is an information security code of practise for cloud services. It’s an extension to ISO/IEC 27001 and ISO/IEC 27002, and it provides additional security controls for cloud service providers and for cloud service customers. An organisation implementing the standard would select the relevant controls for their circumstances.
As an extension to ISO 27002, ISO 27017 provides guidance on 33 ISO 27002 controls, as well providing some additional controls:
The shared roles and responsibilities between the cloud service providers and customers
Removal and return of cloud service customers assets when a contract has been terminated
Segregation in virtual computing environments
Secure hardening of virtual machines
Documenting critical operational procedures
Allowing cloud service customers to be able to monitor relevant activities within the cloud
The alignment of security management for both virtual and physical networks
Get in touch
Helps you with
- Customer trust
- Brand reputation
- Competitive advantage
- Data breaches
- Continued confidentiality
- Meet compliance
- Risk management
- Improved security
Other risk management standards:
- ISO 27001 - Information Security
- ISO 27701 - GDPR Compliance
- BS 10012 - Personal Information
- ISO 20000-1 - IT Service Management
- ISO 27018 - Protection of Personally Identifiable Information
- ISO 22301 - Business Continuity
- ISO 44001 - Collaborative Working
- ISO 55001 - Asset Management
- ISO 41001 - Facilities Management
ISO 27001 training
Benefits of ISO 27017 Certification
External assurance to customers
Provides external assurance to customers that information processed in the cloud by their cloud service provider is secure.
It helps reduce the risk of a security breach and other risks, this will increase stakeholders trust.
Framework for cloud services customers
Provides a comprehensive information security management framework for cloud services customers and in so doing it holds their providers to account.
Extends and enhances certification
It extends and enhances a clients ISO 27001 certification.
Information security management framework
It provides a comprehensive information security management framework for cloud service providers who want increased assurance on the security of their operations and of customers’ information.
Why implement ISO 27017?
Ensuring that your clients feel safe about their data being stored in the cloud is vital. Having ISO/IEC 27017 standard is an internationally recognised framework that can help you to reduce the risk of data breaches and build customer trust by showing your commitment to information security. The standard also gives guidance to cloud service customers on what they should expect from their cloud service hosts.
The standard covers a range of topics such as asset ownership, removal and return of assets when a customer contract has been terminated, protection and separation of a customer’s virtual environment and more. With a growing risk of cloud data breaches it is important to know your organisation has put in significant measures to try and minimise these risks as a cloud service provider and/or a cloud service customer.
As ISO 27017 is built from the foundations of the ISO 27001 and ISO 27002 framework, the certification shows compliance internationally and helps your organisation for both the cloud service providers and cloud service customers against risks within the cloud.
How NQA can help you
With a wealth of experience providing accredited management systems certifications, NQA is ideally placed to partner with you to meet stakeholder requirements and exceed industry expectations.
Technical committees and industry relationships.
NQA is highly involved in a wide variety of industry committees and standards writing teams, helping us to maintain a keen awareness of changes within the industry.
Knowledge transfer supporting our customer’s organisational strategy.
NQA is committed to ensuring customer awareness regarding changes in industry strategy, regulations, and standard requirements that may impact your management system approach.
If you are interested in understanding how NQA can assist you in gaining certification against ISO 27017 and protecting your cloud data please contact our sales team.
Steps to Certification
Complete a Quote Request Form so we can understand you and your business. We will then use this to personally prepare a proposal for your certification and define what is known as your 'scope of assessment'.
We will then contact you to book your assessment with an NQA assessor. It consists of two mandatory visits that form the Initial Certification Audit. Please note that you must be able to demonstrate that your management system has been operational for a minimum of three months and has been subject to a management review and a full cycle of internal audits.
Following a successful stage two audit, a decision is made. If positive, your certification will be issued by NQA, with both a hard and soft copy of the certificate awarded. Certification is valid for three years and maintained through surveillance audits (years one and two) and a recertification audit in year three.
Information Security Toolkit 2013
ISO 27001 FAQs
ISO 27701 Implementation Guide
ISO 27001 Information Security Checklist
ISO 27001 27017 27018 27701 Mapping
Risk Assurance Brochure
Integrated Quote Request Form
Information Security Management Training
Measuring Operational Resilience Method
Annex SL Comparison Tool
CityFibre Case Study
Is Your Management System Integrated?
Need a Consultant?
Download Certification Logos
Combining ISO 27001 with ISO 9001 Gap Guide
Related ISO 27001 Content
Get in touch today to begin your journey to a greener, more sustainable business and a member of our team will be in touch to discuss your requirements: