What is ISO/IEC 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services

ISO/IEC 27017:2015 is a standard that provides guidelines for information security management in the cloud. The standard is part of a larger set of standards known as ISO/IEC 27000, which provides a framework for information security management.

ISO/IEC 27017:2015 is specifically designed for cloud service providers (CSPs) and cloud service customer (CSCs) respectively and outlines the requirements for managing security risks in cloud environments from the perspective of CSP and CSC. The standard covers a wide range of topics, including risk assessment, security controls, incident management, and compliance and reference ISO/IEC 27002 extensively.

One of the key features of the standard is its focus on risk management. CSPs and CSCs are required to conduct regular risk assessments to identify potential security threats and vulnerabilities. They must also implement a range of security controls to mitigate these risks, including access controls, encryption, and monitoring.

Another important aspect of the standard is the shared roles between CSPs and CSCs in the usage of cloud services and identifying in terms of cloud layers used by both parties.

The standard also includes requirements for compliance with relevant laws and regulations. CSPs and CSCs must ensure that they comply with all relevant laws and regulations, including data protection and privacy laws especially when in cloud, the data location for storage may not be residing in the same country as the CSCs.

Overall, ISO/IEC 27017:2015 provides a comprehensive set of guidelines for managing information security in the cloud. It helps CSPs and CSCs to identify and mitigate potential security risks and ensure compliance with relevant laws and regulations. This in turn helps to protect the sensitive information of customers and maintain the trust of customers and other stakeholders.

We are information security consultant that can help your organization to simplify the implementation process of ISO/IEC 27001:2022 implementation and achieve certification status with our methodology and framework approach. For SME based in Singapore, we also help company in applying for the EDG grant for ISO 27001 and other standards adoption. Do reach out to us via email at [email protected]