The British Standards Institution (BSI), the business standards company, has introduced ISO/IEC 27017 certification and training to support the use of ISO/IEC 27017 Information Technology – Security Techniques – Code of Practice for Information Security Controls based on ISO/IEC 27002 for cloud services. The standard helps provide assurances that the data stored and processed in the cloud is secure.
Cloud service security may present genuine concerns for potential customers of cloud services. Now, should they choose to adopt cloud computing, customers have the reassurance from ISO/IEC 27017 certification and training that the cloud service provider’s system is as secure as their own.
The advent of cloud computing and its rapid adoption by organisations of all sizes and types brought a challenge to the ISO/IEC 27000 Series, as these documents mostly deal with information security within one organisation. However, cloud computing involves the cloud service provider and the cloud service customer.
ISO/IEC 27017 provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and other ISO/IEC 27000 standards.
What ISO/IEC 27017 does:
*Addresses the information security management of public cloud services head-on
*Extends the control sets defined in ISO/IEC 27002 to cloud services, dealing with the split of responsibilities between the provider and the customer
*Details the controls and/or documentation both the provider and the customer must have in place
*Shows what information/capabilities must be supplied to the customer by the provider
*Enables the customer to ensure that the cloud services they use meet the information security requirements of the customer and that those cloud services fit into the information security management processes of the customer
Delivering security controls
Elaine Munro, head of portfolio management at the BSI, said: “ISO/IEC 27017 looks at the roles and IT responsibilities of both the cloud service customer and the cloud service provider when it comes to delivering security controls. Following this guidance can help meet the needs of both parties, but they can receive further support from the ISO/IEC 27017 certification scheme or training modules, the latter of which look at how to audit ISO/IEC 27017.”
Munro went on to state: “Some of the benefits users can expect include greater reassurance to customers and stakeholders that cloud service customer data is well protected, increased competitive advantage by demonstrating that robust data protection controls are in place and help in reducing the possibility of a data breach which could result in regulatory fines and damage to brand reputation.”
In addition to the extension of 37 controls of ISO/IEC 27002, the seven new controls in ISO/IEC 27017 combine so that certification:
*Provides guidance on the protection of records associated with the use of the cloud service
*Provides clarity on how change management is handled with respect to the cloud service and how it’s reported to the cloud service customer
*Enables the customer and provider to reach an agreement on shared or divided responsibilities around information security roles, with cloud services clearly laid out, recorded and communicated
*Ensures that the process by which assets are returned or removed from the cloud when the contract/agreement between the customer and provider is terminated is addressed
*Enables the provider to address the issue of protecting and separating the customer’s virtual environment from those of other customers and from external parties
*Allows the customer and provider to configure virtual machines to meet the needs of the organisation
*Makes it the customer’s responsibility to document and monitor the administrative operations and procedures associated with the cloud environment and the cloud service provider’s requirement to share information about critical operations and procedures as and when customers require it
*Ensures consistent configurations are made such that the virtual network environment is in line with the information security policy of the physical network
By adopting ISO/IEC 27017 certification, cloud service providers will be able to give customers solid assurance that their security controls meet customer requirements, as well as demonstrating their professionalism in providing a secure cloud service.