Skip to content

ISO 27017:2015

Safeguard your cloud services through robust information security controls

Features and Benefits

The key features of ISO 27017:2015 can be summarized as follows:

ISO/IEC 27017 is a security standard designed for cloud service providers and users to create a more secure cloud environment and minimize security risks. It is part of the ISO/IEC 27000 family, which offers best practice recommendations for information security management. This standard is based on ISO/IEC 27002, with additional cloud-specific security controls that were not fully addressed in ISO/IEC 27002.

The International Standard provides guidelines for implementing information security controls for both cloud service customers and providers. It helps define the appropriate security controls to implement, based on a risk assessment, and considers legal, contractual, regulatory, and cloud-sector-specific requirements.

 

ISO/IEC 27017 introduces 7 additional cloud-related controls, covering:

  • The division of responsibilities between cloud service providers and customers.
  • Procedures for returning or removing assets at the end of a contract.
  • Protection and separation of the customer’s virtual environment.
  • Virtual machine configuration.
  • Administrative operations and procedures within the cloud environment.
  • Monitoring cloud customer activity.
  • Alignment of virtual and cloud network environments.

Organizations offering cloud services can benefit from ISO/IEC 27017 certification, which demonstrates adherence to stringent security standards and processes for handling potential issues.

If your organization provides cloud services, your customers will seek assurances that their data, documents, messages, and activities are protected at all times, with the ability to retrieve and move data as needed. ISO/IEC 27017 certification instills confidence in these areas.

Achieving ISO/IEC 27017 certification offers several advantages

  • Reduces operational risk: By following ISO/IEC 27017 guidelines, you can effectively identify vulnerabilities and mitigate risks, including data breaches and regulatory fines.
  • Builds market trust: An independent third-party certification showcases your commitment to global information security practices, giving you a competitive edge as investors and customers recognize you as a trustworthy partner.
  • Clarifies responsibilities: ISO/IEC 27017 clearly defines the roles, rights, and responsibilities between cloud service customers and providers, helping you establish yourself as a preferred provider and expand your global reach.

Applicability

As more businesses provide cloud-based services, purchasing departments are increasingly requesting proof that data stored on cloud servers is secure. ISO/IEC 27017 provides a set of guidelines designed to protect cloud environments and reduce the risk of security incidents.

Consulting Methodology

Concept Building Training

Providing training to the client team to enhance their conceptual understanding of requirements and highlight the key drivers necessitating implementation.

Gap Analysis Report for IT Infrastructure & Configuration

Our team of domain experts will evaluate the current IT infrastructure, focusing on networking and data security controls to ensure effective management of information security, privacy, and business continuity. A comprehensive report detailing identified gaps and recommending potential solutions will be provided.

Design and Implementation of a Documented Management System

Creation of a tailored management system encompassing policies, system manuals, procedural guidelines, risk assessment frameworks, security control SOPs, and customizable templates.

Risk and Privacy Assessment Support

Providing expert guidance and assistance to clients in completing risk assessments, implementing necessary controls, and presenting the residual risk inventory to top management.

Implementation Training

Conducting one-on-one sessions with the key implementation team to provide comprehensive training on the documented management system and its implementation strategies.

Implementation Handholding

Providing ongoing consulting support to address routine queries and ensure the successful implementation of the requirements.

Internal Auditor Training

In-depth training on clause requirements and audit techniques, including case studies and assessments.

Conducting the Internal Audit

Our consulting team, along with the trained internal auditors from the client's team, conducts a comprehensive internal audit to assess all requirements and generates the audit report.

Closure of Audit Findings

We provide guidance and support to help the client address and resolve internal audit findings, ensuring readiness for the certification assessment.

Certification Audit Process

International certification and regulatory bodies will conduct the final assessment and issue an audit report upon successful evaluation.

Certificate Issuance by Certification Body

Once all audit findings are successfully closed, the client will receive the certification from the certification body.

Ongoing Consulting Support for Surveillance & Recertification Audits

As part of our commitment to long-term client partnerships, we provide continued consulting support for all future certification needs, assisting in the ongoing growth and success of our valued clients.