What is ISO 27017 – security controls for cloud services?

Today, organisations are entering the age of digitisation and are expanding their use of information technologies. One of the most important aspects of this transformation is the shift from computer and storage systems towards cloud-based service providers due to the huge benefits and potential offered by these services.

As is to be expected, these changes bring with them new risks and opportunities with regard to information security which must be properly managed, just as they are applied and managed when they are within the systems themselves. Both cases should be included in the scope of the company’s Information Security Management System (ISMS) based on the ISO 27001 standard, in order to meet the requirements of the business.

The ISO 27017 standard introduces a series of controls that are additional to ISO 27002, aimed directly at services deployed in the cloud and at the suppliers that provide these services, proposing specific controls linked to the management and provision of secure cloud-based services.

We should remember that ISO 27001 defines a set of 114 security controls, structured into 14 domains, which are applied within the scope established by each company in the implementation of their Information Security Management System.

With regard to risk management, references are established to identify and mitigate specific risks linked to the environments in the cloud so they can be properly dealt with.

What’s more, the implementation of ISO 27017 offers cloud service providers with a coherent image and involvement in the management of their clients’ security, and requires the prior implementation of the ISO 27001 standard. The main aim is the secure management of the data stored by clients, thereby increasing their confidence in the management and processing of their information.

This standard is centred on protecting virtualisation environments and the configuration of the virtual machines housed there to provide the services, and the process of delivering and deleting information when the client ends their contract with the cloud service provider.

Likewise, it establishes the relationship framework between the client and cloud service provider with reference to the management and administration of the services offered by the provider. The aim here is to guarantee the protection of aspects that are key to information security such as confidentiality, integrity and the availability of the information.

From the point of view of the companies that wish to implement or transfer part of their systems and services to the cloud, ISO 27017 provides clear reference in terms of controls and risks that need to be assessed and properly addressed, and also gives visibility to the cloud service providers that maintain a correct alignment between technology, risk management and security.

For the cloud service provider companies, it offers a clear opportunity to transmit a sense of responsibility and confidence in the products and services they offer.

At GlobalSuite Solutions we offer GlobalSuite® Security, a piece of software developed entirely by our team that enables the implementation, management and maintenance of Information Security Management Systems based on the ISO 27001 and ISO 27017 standards. A tool that helps companies and work teams in their comprehensive management of the standard and complies with the full cycle of the standard, from the start and planning of the project up to its maintenance and continuous improvement.

What’s more, our team of specialist consultants offers advice and the support needed to help companies to comply with the ISO 27001 standard, as well as ISO 27017.