ISO 27017

What is ISO 27017?

The ISO 27017 framework is an international standard that outlines best practices for cloud security. It provides organizations with guidelines on how to protect their information systems and data when using a cloud service provider. ISO 27017 focuses on the security of personal data, and covers topics such as access control, incident management, encryption, and logging. 

The standard outlines a set of best practices for the implementation, management, and operation of cloud computing services. It also provides guidelines on how to protect user data in the event of a security breach or other incident. 

Furthermore, it helps ensure that organizations are taking appropriate measures to protect their data when using cloud services. By following these standards, businesses can reduce the risk associated with storing sensitive information in the cloud while still enjoying its many benefits. Additionally, it encourages transparency between service providers and customers by helping them understand what steps have been taken to keep their data safe.

ISO 27017 controls list

You may be wondering what exactly does ISO 27017 compliance cover? And what controls are included? There are two basic aspects of ISO 27017. First, it guides organizations on how to take 37 of the ISO 27001 controls and implement them in cloud environments. Second, it introduces seven security controls that are meant for cloud environments specifically. 

These controls include:

  • Shared roles and responsibilities within a cloud computing environment
  • Removal of cloud service customer assets
  • Segregation in virtual computing environments
  • Virtual machine hardening
  • Administrator’s operational security
  • Monitoring of cloud services
  • Alignment of security management for virtual and physical networks

What is the difference between ISO 27001 and ISO 27017?

ISO 27017 is an ISO 27001 framework extension. ISO 27001 is an international standard for information security management, while ISO 27017 is a code of practice and information security framework for cloud security. 

ISO 27001 outlines the requirements for establishing and managing an Information Security Management System (ISMS) within an organization, while ISO 27017 provides guidance on how to implement specific controls when using (or considering) cloud services.

ISO 27017 focuses more specifically on cloud services and looks at information security issues such as data protection, access control, identity management, availability and resilience. It also covers areas such as incident response and compliance auditing. 

ISO 27001 is the general umbrella and also includes requirements for risk assessment and management, as well as the implementation of security controls to mitigate the identified risks.

ISO 27017 is an important framework that organizations can use to demonstrate their commitment to protecting data and providing a secure environment for customers, alongside ISO 27001. By having this framework under your belt, organizations are able to give customers the assurance that their data is safe and secure when using their services. It also helps ensure compliance with international standards and regulations related to information security management systems, making it a valuable tool for any organization looking to demonstrate its protection of customer data.

Need to get ISO 27017 compliant and unsure where to begin? At Scytale, you can streamline your compliance with our automation platform, while being guided on all the ISO 27017 ins and outs.