What is ISO/IEC 27017:2015
ISO/IEC 27017:2015 provides organizations with the internationally accepted code of practice for infromation security controls based on ISO/IEC 27002 for cloud services. Essentially, some control refinements to and additions on top of ISO/IEC 27002.
Cloud services are now pervasive and whilst ISO/IEC 27001:2022 and ISO/IEC 27002:2022 introduced control 5.23 information security for use of cloud services, ISO/IEC 27017 still goes several steps further.
Most large cloud service providers adopt the control refinements and additions found in ISO/IEC 27017:2015 as a part of their ISO/IEC 27001 certified Information Security Management System (ISMS) so they can claim certification to ISO/IEC 27017 as well.
What ISO/IEC 27002 requirements are modified in ISO/IEC 27017:2015?
There are thirty-seven (37) controls that you'll be familiar with from ISO/IEC 27002 that have been modified in ISO/IEC 27017. Each includes implementation guidance for the cloud service provier *and* the cloud service customer. So even if you're not a cloud service provider, you probably are a cloud service customer whether you know it or not! (and the guidance in ISO/IEC 27017 can help you enhance your security posture).
These range from planning mechanisms like policies for information security, information security roles & responsibilities, inventory of assets, incident management and compliance through to technical operational mechanisms such as access control, cryptography, change & capacity management and event logging. Whilst cloud services offer many benefits like flexibility and scalability these long establish security controls are just as important if not more important for secure use of cloud services.
What additional requirements are found in ISO/IEC 27017:2015?
There are seven (7) additional controls found in ISO/IEC 27017:2015 in its very own Annex A and with references that are prefixed with "CLD" for cloud services. Similarly to the modifications, for each of the additional controls there is either implementation guidance for cloud service providers and/or customers.
The additional controls are:
- CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment
- CLD.8.1.5 Removal of cloud service customer assets
- CLD.9.5.1 Segregation in virtual computing environments
- CLD.9.5.2 Virtual machine hardening
- CLD.12.1.5 Administrator’s operational security
- CLD.12.4.5 Monitoring of Cloud Services
- CLD.13.1.4 Alignment of security management for virtual and physical networks
Who and why would you bother with ISO/IEC 27017:2015?
If you offer or consume any type of cloud service whether its Infastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS) you should take a look at the controls and guidance found in ISO/IEC 27017 to enhance your Information Security Management System (ISMS). Large hyper scalers like Microsoft, Amazon and Google already comply with the requirements of ISO/IEC 27017, and you can demonstrate your security prowess by doing similar.
Will there be a new version of ISO/IEC 27017 at some point?
No doubt there will be. You'll see that ISO/IEC 27017 uses control references and domains based on ISO/IEC 27002:2013, so you'll need to translate these to the ISO/IEC 27002:2022 version if you're already aligning with the new version. No drama!
The ISO website also explains that ISO/IEC 27017:2015 will be replaced by ISO/IEC WD 27017 (the final name will change). The new version is under development but at the time of writing was only in the Preparatory stage. So stay tuned!
How can 6clicks help with ISO/IEC 27017:2015?
6clicks has long provided functionality and content to support assessments against ISO/IEC 27001 certification requirements as well as implement and maintain your Information Security Management System (ISMS) including making the underlining ISO/IEC 27001 (2013 and 2022) requirements available in the 6clicks Content Library along with assessment templates, and template policies / control sets.
6clicks has now made available ISO/IEC 27017:2015 in the 6clicks Content Library as a "delta" assessment against the 36 modified controls and the 7 additional controls for anyone that has already separated completed an assessment against ISO/IEC 27001 Annex A or ISO/IEC 27002. In addition, 6clicks has prepared a "complete" set of requirements that combine ISO/IEC 27001 Annex A and ISO/IEC 27017 requirements.
Written by Andrew Robinson
Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.