ISO/IEC 27017:2015 / ITU-T X.1631 – Information technology — Security techniques — Recommended practices for information security controls based on ISO/IEC 27002 applicable to cloud services
The standard outlines the information security requirements for cloud computing and recommends and assists in the implementation of security measures tailored to cloud computing, which complements ISO/IEC 27002 and other ISO27k standards.
Scope and objectives
Within the cloud computing context, the code of practice provides information security controls implementation advice beyond what is provided in ISO/IEC 27002.
Across all sections of the standard, the main guidance is given to both customers and providers of cloud services.
Information security roles and responsibilities, for example, state the following, along with section 6.1.1 of ISO/IEC 27002:2013:
Cloud service customer – In addition to agreeing on an appropriate role and responsibility allocation with the cloud service provider, the cloud customer should also confirm its ability to carry out the roles and responsibilities. It is important to specify the roles and responsibilities of each party in the information security agreement. For customers to benefit from cloud services, they must establish a relationship with the cloud service provider’s customer support and care function.
Cloud computing service provider – Providers of cloud services should document and agree on an appropriate division of responsibilities for information security with their cloud service customers, their cloud providers, and their suppliers.
Additional information on cloud computing – The customer of a cloud service is responsible for his or her choice to use the service, no matter who determines the responsibilities of the parties. In that case, the decision should be based on the roles and responsibilities determined within the organization of the cloud service customer. It is the cloud service provider’s responsibility to ensure the information security outlined in the cloud service agreement. The implementation and provisioning of information security … [Read the standard to see all the details!]
The normative standards
Besides ISO/IEC 27000 and 27002, the standard cites ISO/IEC 17788 (Cloud computing – Definition and Overview) as well as ISO/IEC 17789 (Cloud computing – Reference model). Interestingly, despite being noted in the bibliography, ISO/IEC 27001 is not considered normative, i.e. required reading: ISO/IEC 27002 can be implemented with or without an ISMS.
The standard’s status
Due to its development by ISO/IEC and ITU, the standard is dual-numbered both as ISO/IEC 27017 and ITU-T X.1631.
The standard was published in late 2015, according to the Government Publishing Office.
Support for the standards project came from ISO/IEC JTC 1/SC 27, ITU-T Q8/SG17, national standards associations as well as the Cloud Security Alliance, to name a few.
It is not a brilliant first edition, but it is a valuable starting point in this rapidly developing field.
As a result of this standard, ISO/IEC 27002 section 15 has now addressed the details of data security for supplier relationships without actually mentioning the term “cloud.”.
It comes under the remit of ISO/IEC 27009 since it is a sector-specific standard.
In its decision, SC 27 decided not to develop a separate specification for cloud information security management systems, as ISO/IEC 27001 is capable enough. Because of this, it is not intended to certify the security of cloud service providers. As with any organization, however, they can be certified ISO/IEC 27001 compliant.
Since SC 27 is developing a cloud privacy standard and a provider management standard at the same time, it was logical to refer to those standards instead, and that is indeed what happened in the privacy standard but not for the relationship management standard. What a strange thing.