Logo EQA Grupo

ISO / IEC 27017

Seguridad de los Servicios en la Nube

ISO 27017 – Cloud Service Security

Boton de acceso EQA Clientes

Certification to the ISO/IEC 27017 standard is intended for organizations that have ISO 27001 certification.

Definition of ISO 27017

ISO 27017 is an international standard that focuses on providing specific guidelines and recommendations for information security in the cloud. Officially, it is titled “ISO/IEC 27017:2015 – Information technology – Security techniques – Code of practice for cloud information security.” It was developed to help organizations, cloud service providers, and stakeholders address the unique security challenges that arise when storing and processing information in cloud environments.

Goals of ISO 27017

ISO 27017, also known as ISO/IEC 27017, provides specific guidelines for information security in the cloud. Its main goals include:

  • Cloud Security: ISO 27017 primarily aims to address information security issues that are relevant to cloud service providers and their customers. This involves ensuring that information and data stored, processed and transmitted in cloud environments is secure.
  • Protection of sensitive data: The standard seeks to protect sensitive and critical data that is stored and processed in the cloud. This includes ensuring the confidentiality, integrity, and availability of data, as well as proper user identification, authentication, and access management.
  • Regulatory Compliance: ISO 27017 provides guidelines to help organizations comply with relevant information security regulations and standards in cloud environments. This is important to avoid legal sanctions and maintain the trust of customers and stakeholders.
  • Cloud Risk Management: ISO 27017 promotes effective cloud risk management by helping organizations identify and assess the specific risks associated with the adoption of cloud services and implement appropriate controls to mitigate them.
  • Transparency and trust: ISO 27017 encourages transparency between cloud service providers and their customers by setting clear expectations about each party’s responsibility for information security. This helps build and maintain trust in cloud services.
  • Security Best Practices: The standard provides guidelines for implementing cloud information security best practices, helping to protect information assets and prevent security incidents.
  • Business continuity in the cloud: ISO 27017 focuses on ensuring business continuity in cloud environments, ensuring that services are resilient and available even in the event of unexpected events or disasters.

The main goal of ISO 27017 is to provide specific guidance on cloud information security, helping organizations protect sensitive data, comply with regulations, manage risks, promote transparency, and improve trust in cloud services.

Benefits of ISO 27017

  • Increased confidence in the business, as it provides greater security to interested parties.
  • It demonstrates that robust control systems are in place to protect your data.
  • Increases image and reputation by reducing the risk of negative publicity due to data breaches.
  • Increases vulnerability control, over the ISO/IEC 27001 standard.
  • Protects sanctions from interested parties (customers, regulators, etc.)

The organization requires implementing ISO 27017 when:

  1. The organization has initiated and/or maintains remote work or teleworking.
  2. The aim is to demonstrate the organization’s commitment to information security in the services it provides through the cloud.
  3. The organization wants a commercial differential associated with information security in a comprehensive manner.
  4. It already has the ISO/IEC 27001 standard implemented and wants to reinforce it with the most current controls.

Frequently Asked Questions

Stages of the ISO 27017 Standard

In summary, ISO 27017 does not define specific stages, but provides guidelines and good practices related to cloud information security that organizations can follow to ensure the protection of their data and systems in cloud environments.

These guidelines can be applied at various stages of implementing and managing cloud solutions, from initial risk assessment to ongoing operation of cloud services.

Structure of the ISO 27017 Standard

The ISO/IEC 27017:2015 standard, which provides guidelines for information security in the cloud, follows a structure consisting of several sections and clauses:

  • Scope: This section establishes the purpose and scope of the standard, that is, who it is intended for and what aspects of cloud information security it covers.
  • Regulatory References: References are included here to other standards related to information security and cloud security that should be considered when applying ISO 27017.
  • Terms and Definitions: This section provides key definitions of terms used in the standard to ensure a common understanding of the concepts involved.
  • Cloud Information Security Context: This part describes the general context of cloud information security, including factors such as shared responsibility between the cloud service provider and the customer.
  • Guidelines for Information in the Cloud: This section constitutes the central part of the standard and contains specific recommendations and guidelines for the security of information in the cloud. These guidelines cover a variety of topics, such as cloud risk management, cloud identity and access management, cloud business continuity, and other key aspects of cloud security.
  • Annexes: Annexes may be included that provide additional information or examples related to the implementation of cloud information security guidelines.
  • Bibliography: The sources and bibliographic references used in the preparation of the standard are listed here.
The PDCA cycle in ISO 27017

There is no specific PDAC (Plan, Do, Act, Check) cycle in the ISO/IEC 27017:2015 standard. The PDCA (Plan, Do, Check, Act) cycle is a widely used approach in quality management and continuous process improvement, but it is not a structure formally defined in ISO 27017. Instead, PDCA is applied in a broader context in information security management, and some of the activities within the standard may relate to the steps of the PDCA but are not explicitly presented under that framework.

However, the PDCA cycle is relevant to information security management and can be applied to the use of ISO 27017 guidelines for cloud security. The following describes how the PDCA steps relate to managing information security in the cloud:

  • Plan: In this phase, cloud information security objectives and goals are established, risks are identified, and the policies and procedures necessary to address those risks are defined. This could include planning the implementation of cloud security measures based on ISO 27017 guidelines.
  • Do: In this phase, the security measures planned in the previous phase are implemented. This could involve configuring and launching cloud systems and services in accordance with established security guidelines.
  • Check: In this stage, the security measures implemented are monitored and evaluated to ensure that they are working as expected. Constant monitoring of cloud security is carried out and regular audits are conducted to verify compliance.
  • Act: In this final phase, steps are taken to continually improve the security of information in the cloud. This could include reviewing security incidents, correcting deviations, and updating policies and procedures based on lessons learned.

Although ISO 27017 does not explicitly mention the PDCA cycle, the continuous improvement approach and risk management it promotes are in line with the principles of the PDCA cycle and are essential to ensure effective information security in the cloud.

Contact us for more information about ISO 27017

EQA                                                                    

About us

Team

ENAC Accreditations

Delegation

News

EQA Campus

Upcoming EQA webinars

Work with us

Request for information and procedures

Blog

ESG services

Governance Documents

 

R&D&I Certification                                         

R&D&I tax deductions

Bonuses for Research Personnel

Innovative SME

Young Innovative Enterprise

Other R&D&I evaluations

UNESCO Experts Selection

Motivated Reports

 

Climate Change                                           

Carbon Footprint

Verification of Greenhouse Gases

Ecodesign

Energy Audit

Climate Projects

Circular Economy

Compensation mechanisms

 

Next Generation Trust                                            

DNSH

European Taxonomy

Recovery and Resilience Plan

 

Urban Planning Licenses                                  

ECU

ECCOM

ECUV

 

 

Follow us                                                                                      

Calle Joaquín Bau nº 2 | 1ª Planta | Escalera Derecha | 28036 Madrid