Introduction to ISO 27017
Overview
ISO/IEC 27017:2015 is an international standard that provides guidelines for information security controls applicable to the provision and use of cloud services. It builds upon ISO/IEC 27002 by providing additional implementation guidance on cloud-specific controls and new controls that are specifically relevant to cloud computing environments.
Learning Objectives
By the end of this lesson, you will be able to:
- Understand the purpose and scope of ISO 27017
- Identify the key stakeholders addressed by the standard
- Recognize the structure and organization of the standard
- Understand how ISO 27017 fits into the broader ISO 27000 family
- Appreciate the business value of implementing ISO 27017
What is ISO 27017?
Definition and Purpose
ISO 27017 is a code of practice for information security controls for cloud services. It provides:
- Additional implementation guidance for relevant controls specified in ISO/IEC 27002
- Additional controls with implementation guidance that specifically relate to cloud services
The standard addresses two key perspectives:
- Cloud Service Providers (CSPs) - Organizations providing cloud services
- Cloud Service Customers (CSCs) - Organizations using cloud services
Key Characteristics
| Characteristic | Description |
|---|---|
| Publication Date | 2015 |
| Type | Code of Practice |
| Scope | Cloud-specific security controls |
| Complementary Standards | ISO 27001, ISO 27002, ISO 27018 |
| Applicability | All cloud service models (IaaS, PaaS, SaaS) |
Why ISO 27017 Matters
The Cloud Security Challenge
Organizations moving to cloud computing face unique security challenges:
- Loss of Physical Control: Data and systems are hosted by third parties
- Shared Infrastructure: Resources are shared among multiple tenants
- Complex Responsibility Models: Security responsibilities are divided between CSP and CSC
- Regulatory Compliance: Meeting compliance requirements in cloud environments
- Data Sovereignty: Managing data across different jurisdictions
Business Benefits
Implementing ISO 27017 provides significant business advantages:
For Cloud Service Providers:
- Demonstrates security commitment to customers
- Competitive differentiation in the marketplace
- Reduced security incidents and associated costs
- Improved operational efficiency
- Enhanced customer trust and retention
For Cloud Service Customers:
- Framework for evaluating cloud providers
- Clear understanding of security responsibilities
- Reduced security risks
- Improved compliance posture
- Better governance of cloud services
Structure of ISO 27017
Organization
ISO 27017 is organized into the following main sections:
- Scope - Defines what the standard covers
- Normative References - References to other essential standards
- Terms and Definitions - Cloud-specific terminology
- Overview - Context and background
- Cloud Computing Reference Architecture - Framework for understanding cloud services
- Information Security Controls - The core guidance organized by control domains
Control Categories
The standard includes controls organized into 14 domains:
| Domain | Number of Controls | Focus Area |
|---|---|---|
| Information Security Policies | 2 | Policy framework |
| Organization of Information Security | 7 | Roles and responsibilities |
| Human Resource Security | 6 | Personnel security |
| Asset Management | 10 | Asset inventory and classification |
| Access Control | 14 | Identity and access management |
| Cryptography | 2 | Encryption controls |
| Physical and Environmental Security | 15 | Physical safeguards |
| Operations Security | 14 | Operational procedures |
| Communications Security | 7 | Network security |
| System Acquisition, Development and Maintenance | 13 | Secure development |
| Supplier Relationships | 5 | Third-party management |
| Information Security Incident Management | 7 | Incident response |
| Information Security Aspects of Business Continuity | 4 | Continuity planning |
| Compliance | 8 | Legal and regulatory compliance |
Key Concepts
Cloud Service Categories
ISO 27017 addresses three primary cloud service models:
1. Infrastructure as a Service (IaaS)
- Provides fundamental computing resources
- Examples: Virtual machines, storage, networks
- CSP Responsibility: Infrastructure layer
- CSC Responsibility: Operating systems, applications, data
2. Platform as a Service (PaaS)
- Provides development and deployment platforms
- Examples: Application hosting, database services
- CSP Responsibility: Infrastructure and platform layers
- CSC Responsibility: Applications and data
3. Software as a Service (SaaS)
- Provides complete software applications
- Examples: Email, CRM, collaboration tools
- CSP Responsibility: Infrastructure, platform, and application layers
- CSC Responsibility: Configuration and data
Shared Responsibility Model
A fundamental principle in cloud security is the shared responsibility model:
┌─────────────────────────────────────────────────┐
│ Data │ ◄── Customer
├─────────────────────────────────────────────────┤
│ Applications │ ◄── Customer (IaaS/PaaS), Provider (SaaS)
├─────────────────────────────────────────────────┤
│ Operating System │ ◄── Customer (IaaS), Provider (PaaS/SaaS)
├─────────────────────────────────────────────────┤
│ Virtual Network/Hypervisor │ ◄── Provider
├─────────────────────────────────────────────────┤
│ Physical Infrastructure │ ◄── Provider
└─────────────────────────────────────────────────┘
ISO 27017 vs. Other Standards
Relationship to ISO 27001
| ISO 27001 | ISO 27017 |
|---|---|
| Certifiable standard | Code of practice (not certifiable alone) |
| General ISMS requirements | Cloud-specific guidance |
| Broad applicability | Cloud environments only |
| Mandatory for certification | Optional implementation guidance |
Relationship to ISO 27002
ISO 27017 extends ISO 27002 by:
- Providing cloud-specific implementation guidance for existing controls
- Adding new controls unique to cloud computing
- Clarifying responsibilities in cloud scenarios
Relationship to ISO 27018
| ISO 27017 | ISO 27018 |
|---|---|
| Cloud security controls (general) | Personal data protection in cloud |
| Both CSP and CSC perspectives | Primarily CSP perspective |
| All types of information | Personal information (PII) focus |
| Published 2015 | Published 2014 |
Who Should Use ISO 27017?
Cloud Service Providers
CSPs should implement ISO 27017 to:
- Enhance security controls in cloud infrastructure
- Meet customer security expectations
- Demonstrate compliance readiness
- Reduce security-related risks
- Improve service delivery quality
Cloud Service Customers
CSCs should use ISO 27017 to:
- Evaluate potential cloud service providers
- Understand their security responsibilities
- Implement appropriate security controls
- Manage cloud-related risks effectively
- Ensure regulatory compliance
Other Stakeholders
- Auditors and Assessors: Framework for evaluating cloud security
- Regulators: Benchmark for cloud security requirements
- Risk Managers: Guidance for cloud risk assessment
- IT Professionals: Best practices for cloud security implementation
Implementation Approach
Getting Started with ISO 27017
Step 1: Assessment
- Identify current cloud usage (services, providers, data)
- Determine applicable controls based on service models
- Assess current security posture
Step 2: Planning
- Define roles and responsibilities (CSP vs. CSC)
- Prioritize controls based on risk assessment
- Develop implementation roadmap
Step 3: Implementation
- Establish policies and procedures
- Deploy technical controls
- Train personnel on cloud security
Step 4: Monitoring
- Continuous monitoring of cloud security controls
- Regular audits and assessments
- Incident management and response
Step 5: Improvement
- Review and update controls regularly
- Learn from incidents and near-misses
- Stay current with evolving threats
Compliance and Certification
Important Notes
- ISO 27017 is NOT a certifiable standard on its own
- Organizations can be certified to ISO 27001 with reference to ISO 27017
- Certification bodies may offer combined ISO 27001/27017 assessments
- ISO 27017 provides the implementation guidance for cloud-specific controls
Value Without Certification
Even without formal certification, implementing ISO 27017 provides:
- Improved security posture
- Better risk management
- Enhanced customer confidence
- Competitive advantage
- Foundation for compliance with various regulations
Common Misconceptions
Myth vs. Reality
| Myth | Reality |
|---|---|
| ISO 27017 is only for large enterprises | Applicable to organizations of all sizes using cloud |
| It's only for cloud providers | Equally important for cloud customers |
| Implementation is too expensive | Can be scaled to match organizational needs |
| It's a checklist to complete | Requires ongoing management and improvement |
| Covers all cloud security needs | Should be part of broader security strategy |
Real-World Applications
Case Study: Financial Services Company
Scenario: A mid-size bank adopting cloud services for customer data processing
Challenges:
- Regulatory compliance (PCI DSS, GDPR)
- Customer trust and confidence
- Data sovereignty concerns
- Third-party risk management
ISO 27017 Benefits:
- Clear framework for vendor evaluation
- Defined security requirements in contracts
- Structured approach to shared responsibilities
- Documented security controls for auditors
Outcome: Successful cloud adoption with maintained regulatory compliance and enhanced security posture.
Case Study: Cloud Service Provider
Scenario: A SaaS provider seeking to expand into enterprise market
Challenges:
- Enterprise customers demanding security certifications
- Competitive differentiation needed
- Complex multi-tenant environment
- Incident management at scale
ISO 27017 Benefits:
- Structured implementation of cloud security controls
- Documented evidence for customer due diligence
- Improved operational efficiency
- Reduced security incidents
Outcome: 40% increase in enterprise customer acquisition and 60% reduction in security-related support tickets.
Key Takeaways
-
ISO 27017 is a code of practice providing cloud-specific security guidance for both providers and customers
-
It extends ISO 27002 with additional implementation guidance and new controls for cloud environments
-
Shared responsibility is central - both CSPs and CSCs have security obligations
-
Business value is significant - improved security, compliance, trust, and competitive advantage
-
Implementation is scalable - can be adapted to organizations of different sizes and cloud maturity levels
-
It's part of a framework - works best when integrated with ISO 27001, 27002, and other standards
-
Continuous improvement is essential - cloud security is not a one-time implementation
Preparation for Next Lesson
In the next lesson, we'll dive deep into Cloud Service Models (IaaS, PaaS, SaaS) and understand:
- Detailed characteristics of each service model
- Security implications of different models
- How responsibilities shift across models
- Choosing the right model for your needs
Self-Assessment Questions
- What is the primary purpose of ISO 27017?
- Name the two key stakeholder groups addressed by ISO 27017.
- How does ISO 27017 differ from ISO 27001?
- What are the three main cloud service models covered by the standard?
- Can an organization get ISO 27017 certification independently?
- What is the shared responsibility model in cloud computing?
- List three business benefits of implementing ISO 27017 for cloud service providers.
- How many control domains are covered in ISO 27017?
- What is the relationship between ISO 27017 and ISO 27018?
- Why is continuous improvement important in ISO 27017 implementation?
Additional Resources
Standards Documents
- ISO/IEC 27017:2015 - Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
- ISO/IEC 27001:2022 - Information security management systems — Requirements
- ISO/IEC 27002:2022 - Information security controls
Industry Guidelines
- Cloud Security Alliance (CSA) Cloud Controls Matrix
- NIST SP 800-145 - The NIST Definition of Cloud Computing
- ENISA Cloud Computing: Benefits, risks and recommendations for information security
Regulatory References
- GDPR (General Data Protection Regulation)
- PCI DSS (Payment Card Industry Data Security Standard)
- HIPAA (Health Insurance Portability and Accountability Act)
Glossary
Cloud Service Provider (CSP): An organization that provides cloud computing services to customers.
Cloud Service Customer (CSC): An organization or individual that uses cloud services provided by a CSP.
Information Security Management System (ISMS): A systematic approach to managing sensitive company information.
Code of Practice: A set of written guidelines or recommendations for a particular professional area.
Control: A means of managing risk, including policies, procedures, practices, and organizational structures.
Shared Responsibility Model: A security and compliance framework that outlines the responsibilities of CSPs and CSCs.
Multi-tenancy: An architecture where a single instance of software serves multiple customers (tenants).
Data Sovereignty: The concept that digital data is subject to the laws of the country in which it is located.
This lesson provides the foundation for understanding ISO 27017. The subsequent lessons will build upon these concepts with detailed guidance on implementation, controls, and best practices.