Business standards company BSI has introduced ISO/IEC 27017 certification and training to support the use of ISO/IEC 27017 Information technology – Security techniques – Code of practice for information security controls.

Based on ISO/IEC 27002 for cloud services, the standard aims to help provide assurances that the data stored and processed in the cloud is secure.

ISO/IEC 27017 provides guidance on the information security aspects of cloud computing and recommends and assists with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and other ISO/IEC 27000 standards.

Other aims of the standard include addressing the information security management of public cloud services, extending the control sets defined in ISO/IEC 27002 to cloud services, and detailing the controls and/or documentation the provider and customer must have in place.

BSI Head of Portfolio Management Elaine Munro said ISO/IEC 27017 looks at the roles and IT responsibilities of both cloud service customers and providers when it comes to delivering security controls.

“Following this guidance can help meet the needs of both parties, but they can receive further support from the ISO/IEC 27017 certification scheme, or training modules, the latter of which look at how to audit ISO/IEC 27017,” Munro said.

“Some of the benefits users can expect include: greater reassurance to customers and stakeholders that cloud service customer data is well protected, increased competitive advantage by demonstrating robust data protection controls are in place, and help in reducing the possibility of a data breach which could result in regulatory fines and damage to brand reputation.”

In addition to the extension of 37 controls of ISO/IEC 27002, the seven new controls in ISO/IEC 27017 combine so that certification:

• Provides guidance on the protection of records associated with cloud service use
• Provides clarity on how change management is handled and how it is reported to the customer
• Enables the customer and provider to reach agreement on shared or divided responsibilities around information security roles
• Ensures the process of returning or removing assets from the cloud when the contract/agreement between the customer and provider is terminated is addressed
• Enables the provider to address the issue of protecting and separating the customer’s virtual environment from those of other customers and from external parties
• Allows the customer and provider to configure virtual machines to meet the needs of the organization
• Makes it the customer’s responsibility to document and monitor the administrative operations and procedures associated with the cloud environment and the CSP’s requirement to share information about critical operations and procedures as and when customers require it
• Ensures consistent configurations are made so that the virtual network environment is in line with the information security policy of the physical network.

Cloud service providers adopting ISO/IEC 27017 certification can offer their customers assurance that security controls meet their requirements, as well as demonstrate professionalism in providing a secure cloud service.