Certification and training support for cloud security standard available from BSI

The British Standards Institution (BSI), the business standards company, has introduced ISO/IEC 27017 certification and training to support the use of ISO/IEC 27017 Information Technology – Security Techniques – Code of Practice for Information Security Controls based on ISO/IEC 27002 for cloud services. The standard helps provide assurances that the data stored and processed in the cloud is secure.

Cloud service security may present genuine concerns for potential customers of cloud services. Now, should they choose to adopt cloud computing, customers have the reassurance from ISO/IEC 27017 certification and training that the cloud service provider’s system is as secure as their own.

The advent of cloud computing and its rapid adoption by organisations of all sizes and types brought a challenge to the ISO/IEC 27000 Series, as these documents mostly deal with information security within one organisation. However, cloud computing involves the cloud service provider and the cloud service customer.

ISO/IEC 27017 provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and other ISO/IEC 27000 standards.

What ISO/IEC 27017 does:

*Addresses the information security management of public cloud services head-on

*Extends the control sets defined in ISO/IEC 27002 to cloud services, dealing with the split of responsibilities between the provider and the customer

*Details the controls and/or documentation both the provider and the customer must have in place

*Shows what information/capabilities must be supplied to the customer by the provider

*Enables the customer to ensure that the cloud services they use meet the information security requirements of the customer and that those cloud services fit into the information security management processes of the customer

Delivering security controls

Elaine Munro, head of portfolio management at the BSI, said: “ISO/IEC 27017 looks at the roles and IT responsibilities of both the cloud service customer and the cloud service provider when it comes to delivering security controls. Following this guidance can help meet the needs of both parties, but they can receive further support from the ISO/IEC 27017 certification scheme or training modules, the latter of which look at how to audit ISO/IEC 27017.”

Munro went on to state: “Some of the benefits users can expect include greater reassurance to customers and stakeholders that cloud service customer data is well protected, increased competitive advantage by demonstrating that robust data protection controls are in place and help in reducing the possibility of a data breach which could result in regulatory fines and damage to brand reputation.”

In addition to the extension of 37 controls of ISO/IEC 27002, the seven new controls in ISO/IEC 27017 combine so that certification:

*Provides guidance on the protection of records associated with the use of the cloud service

*Provides clarity on how change management is handled with respect to the cloud service and how it’s reported to the cloud service customer

*Enables the customer and provider to reach an agreement on shared or divided responsibilities around information security roles, with cloud services clearly laid out, recorded and communicated

*Ensures that the process by which assets are returned or removed from the cloud when the contract/agreement between the customer and provider is terminated is addressed

*Enables the provider to address the issue of protecting and separating the customer’s virtual environment from those of other customers and from external parties

*Allows the customer and provider to configure virtual machines to meet the needs of the organisation

*Makes it the customer’s responsibility to document and monitor the administrative operations and procedures associated with the cloud environment and the cloud service provider’s requirement to share information about critical operations and procedures as and when customers require it

*Ensures consistent configurations are made such that the virtual network environment is in line with the information security policy of the physical network

By adopting ISO/IEC 27017 certification, cloud service providers will be able to give customers solid assurance that their security controls meet customer requirements, as well as demonstrating their professionalism in providing a secure cloud service.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts