ISO 27017:2015 is an International standard which provide controls for both Cloud Service Providers and Cloud Service Customers. This standard is an addition and complement to the guidelines given in ISO/IEC 27002- Code of practice for information security controls for cloud services.
ISO 27017 aids organizations to implement cloud computing information security management system by selecting appropriate cloud service information security controls and the application of the implementation guidance provided, will depend on a risk assessment and any legal, contractual, regulatory or other cloud-sector specific information security requirements.
This standard contain 37 controls of ISO 27002 plus seven new controls which are discussed in Annex A of ISO 27017.
Seven New Controls are:
- · Shared roles and responsibilities within a cloud computing environment (CLD.6.3.1)
- · Removal and return of cloud service customer assets (CLD.8.1.5)
- · Segregation in virtual computing environments (CLD. 9.5.1)
- · Virtual machine hardening should meet business requirements and needs. (CLD. 9.5.2)
- · Administrator’s operational security should be defined, documented and monitored. (CLD.12.1.5)
- · Monitoring of Cloud Services (CLD. 12.4.5)
- · Alignment of security management for virtual and physical networks. (CLD.13.1.4)
BENEFITS OF ISO 27017:2015
The potential benefits to an organization of implementing ISO 27017:2015 is:
- Moderate Reputation and Operational Risk;
- Develop Long run strategy; (Sustainable future)
- Gain Customer trust;
- Increase brand value;
- Increase transparency.
WHY IMPLEMNTING ISO 27017:2015 IS IMPORTANT FOR ORGANIZATION
For long term business customer trust is very important for every organization. ISO 27017:2015 not only allow organizations to protect customer data on cloud but also provide asset management (including disposal of assets with sensitive information), segregation of virtual computing environments from other cloud service customers and unauthorized persons, Hardening virtual machines in cloud computing environment, logging and monitoring, storage of data, alignment security management for virtual and physical networks, etc. which helps to increase organizations brand value, decrease operational risks, and gain customer trust.