Ensuring cloud-native security has never been more vital than in today’s hybrid workplace with multi-tenant systems and remote access. Organizations seeking strong systems fit for cloud settings have given rise to “ISO 27017 Cloud Security.” A significant standard is ISO/IEC 27017:2015 (or ISO 27017 for short), which provides tips on ISO for cloud security and works seamlessly with other standards, including ISO 27018.
This blog explores the basics of ISO 27017 end-to-end, how it compares (and aligns) to ISO 27018, the certification path for each, and some practical steps to follow in establishing a solid cloud security posture.
Contact a compliance specialist like Qualysec today for help becoming certified or improving your cloud security posture.
What is ISO 27017 and Why Does it Matter for Cloud Security?
The cloud environment introduces unique challenges: multi-tenancy, shared responsibility, automated provisioning, spins up and rips down VMs in minutes. While basic, traditional ISMS frameworks (for example, ISO/IEC 27001) don’t specifically cover a lot of cloud-defined nuances.
ISO 27017 is based on ISO/IEC 27002, “Information technology & Security techniques, which has a code of practice for information security controls in cloud services.” It gives more guidance for pertinent controls from ISO 27002, as well as a group of newly created controls for cloud service providers (CSPs) and cloud service customers (CSCs).
For instance:
Clarity of shared roles and duties between provider and customer.
Control of virtual environments in a cloud context (separating and hardening of VMs). Return or removal of assets when the agreement terminates.
Adopting this cloud security standard, ISO 27017, helps define and show a systematic, auditable approach to cloud-specific information security for any company offering cloud services.
Source: https://qualysec.com/iso-27017-cloud-security/
