What is the new ISO 27017 standard and why should cloud customers and cloud services providers care?
- ISO 27001: guidelines for managing an overall information security management system
- ISO 27002: a list of specific security controls an organisation could use
- ISO 27017: general security guidelines for operating in the cloud
- ISO 27018: guidelines specifically addressing how to protect personal data in the cloud
In practical terms, ISO 27017 builds on ISO 27002: it gives extra detail for some of the security controls and adds some new controls, both to increase relevance to the cloud computing sector.
The guidance in ISO 27017 is designed for both providers and customers of cloud services. It notes that the way cloud computing works means its possible to have a supply chain in which the same organisation can be both a cloud service customer and a cloud service providers.
ISO 27017 was developed to reflect what it lists as “significant changes in how computing resources are technically designed, operated and governed.” It also notes that it’s not just a matter of cloud service providers maintaining security. Instead, customers will need to assess the provider’s security controls and it’s possible the customer may then have to adjust its own activities to meet its security requirements.
- cloud service customers should specify what backup capability they require from the provider, verify that the offered service meets their need, and make their own arrangements if the service isn’t sufficient; while
- cloud service providers should provide “secure and segregated access to backups” and also provide a specification of the backup capabilities.
- Scope and schedule of backups
- Backup methods
- Data formats
- Retention periods
- Integrity of backup data
- Restoration procedure and timescale
- Physical location of backups
The most significant new control in ISO 27017 regards segregation in virtual computing environments. The key principle is that the customer’s virtual environment be protected from unauthorised access, including by other customers. This requires “appropriate logical segregation” of data and resources as well as taking into account the risks of allowing customers to run their own software.
Contact Int Tec Solutions
Speak to the Int Tec support team to work out how you can ensure your cloud services provider is ISO 27017 compliant today!