Identify The Main Objectives Of The Iso 27017 Standard And The Additional Controls That Are Part Of The Standard

By Author: Smith
Total Articles: 41
Comment this article

Because of today's technologically-driven environment, the majority of enterprises and their operations rely largely on cloud computing applications and platform solutions. Considering the importance of cloud services and the availability of cloud functions across industries, there is a lack of trust in the security of cloud service solutions and providers. Why are users hesitant to trust personal data to cloud platforms? The most important factor could be the uncertainty that comes with being responsible for protecting sensitive data stored in the cloud.
In actuality, both sides should be held liable. While it is the responsibility of the cloud service customer to implement organizational information security controls and processes, the cloud service provider's (CSP) responsibility must limit the risks of a cloud-based information security breach. Here is where the ISO/IEC 27017 security standard may be able to bridge the gap between both parties and improve public perception of cloud security.
ISO/IEC 27017 is an information security framework for enterprises that use (or are considering utilizing) cloud services. ...
... Cloud service providers must comply with this standard because it protects their cloud service users (and others) by offering a consistent and comprehensive approach to information security. ISO 27017 is a standard in the ISO/IEC 27000 family that provides best-practice guidelines for information security management. This standard derives from ISO/IEC 27002 and proposes additional cloud security procedures not completely stated in ISO/IEC 27002.
The focus of this standard is on safeguarding virtualization environments, the setup of the virtual machines housed within to supply the services, and the delivery and deletion of data when a client ends their connection with the cloud service provider. Also, it creates the foundation for the connection between the customer and the cloud service provider in terms of the management and administration of its services. The goal of this initiative is to ensure the preservation of crucial components of information security, such as data availability, confidentiality, and integrity.
The ISO 27017 standard offers a clear reference for the controls and risks that must be evaluated and properly addressed from the perspective of the businesses that wish to implement or transfer a portion of their systems and services to the cloud. It also gives visibility to cloud service providers that maintain the proper alignment between technology, risk management, and security. For businesses offering cloud services, it presents a very clear opportunity to show a culture of accountability and faith in the products and services that they provide.
What additional controls does ISO 27017 include?
The ISO 27017 standard provides several controls that are added to the ISO 27002 standard. These controls are specifically focused on cloud-based services and the vendors that provide them, and they include special controls related to the management and delivery of secure cloud-based services.
We should keep in mind that ISO 27001 specifies a collection of 114 security controls that are organized into 14 domains and applied within the parameters determined by each organization when putting its Information Security Management System into practice. In terms of risk management, guidelines are set up to identify and reduce certain risks linked to the cloud systems so they may be effectively handled.
Furthermore, the ISO 27017 documents must contain all necessary controls, including the following controls for cloud service providers:
• Collaborative roles and responsibilities in a cloud computing environment
• Removal of cloud service customer assets
• Segregation in virtual computing environments
• Virtual machine hardening
• Administrator’s operational security
• Monitoring of cloud services
• Security management for virtual and physical networks must be coordinated
Source: https://27001securitycertification.wordpress.com/2023/03/17/identify-the-main-objectives-of-the-iso-27017-standard-and-the-additional-controls-that-are-part-of-the-standard/