An In-Depth Guide to ISO 27017
Payal Wadhwa
Oct 10, 2024A recent study by Gartner states that the total end-user spending on public cloud services was estimated to reach $591.8 billion by the end of 2023—a 20.7% surge over the last year.
As the cloud computing landscape flourishes with new innovations, companies are increasing their investment in such technologies. However, with widescale implementation also comes increased security risk. This is why cybersecurity is a top priority for global organizations going into 2024.
Compliance is a big component of cybersecurity and plays a crucial role in minimizing cloud security issues. Among the many security standards is ISO/IEC 27017:2015, a forerunner that deals specifically with cloud data security, cloud service providers, and cloud computing.
In this blog, we delve deeper into ISO 27017 compliance, its scope, benefits, challenges, and more.
What is an ISO 27017 certification?
ISO/IEC 27017 is a compliance framework that offers guidelines for both cloud service providers and customers aimed at safeguarding physical networks and virtual cloud infrastructure. The international standard guides organizations on two fronts—the implementation of Information Security Management Systems (ISMS) controls provisioned within ISO 27002 as well as detailing controls that are unique and specific to cloud environments.
Presently, ISO 27017 has only one edition, published in 2015. A second edition is in progress, slated to be published in 2025.
What is the scope of ISO/IEC 27017?
ISO 27017 applies to cloud service providers who have an Information Security Management System in place as per the specifications laid out in ISO 27001. The framework evaluates the effective implementation of 37 controls unders ISO/IEC 27002 which is the organization can choose based on risk assessment. It also evaluates the following seven controls that are unique and specific to cloud service providers:
- The roles and responsibilities of customers and service providers with respect to cloud computing and security
- The purge and retrieval of data on customer contract termination
- Protection and separation of the customer’s virtual environment from another’s
- The practice of machine hardening or minimizing the vulnerability surface according to business requirements
- The operational responsibilities of the role of administrator
- The ability to enable cloud customer monitoring
- Alignment of security management for physical and virtual cloud computing environments
Also check: How to Get ISO 27001 For Startups (Free Guide)
Who needs to implement ISO/IEC 27017?
ISO/IEC 27017, as a framework allows organizations to adopt a methodical and consistent approach to customer security by focusing thoroughly on cloud and data security. It applies specifically to cloud service providers and cloud service customers.
ISO 27017 is comprehensive in the way it specifies what customers can expect from their cloud service providers as well as the responsibilities and obligations customers have to create and maintain a secure cloud environment.
The easy path to ISO 27017 compliance
How to get ISO/IEC 27017 certified?
An ISO 27017 certification is an essential badge for companies looking to stand out from the competition and assure customers of a consistent and sustainable commitment to cloud security. But getting ISO 27017 certified can be a bit different from other frameworks.
Unlike other frameworks, It is not a management standard, and companies cannot obtain an independent ISO 27017 certification. However, companies can include the controls specified within ISO 27017 while getting audited for ISO 27001.
Setting this difference aside, here’s a list of steps that companies need to follow to get ISO 27017 certified.
Determine your current state and conduct risk assessment
Conduct a thorough study of your current cloud security policies. An honest assessment of applicable cloud and security controls can help companies determine where their measures are falling short and what needs to be addressed.
At this point, it’s important to note, in detail, all the risks that could effect the confidentiality, integrity, and availability and ownership of assets and system and determine the impact and likelihood of these risks. Thorough risk management also helps the company determine the controls within ISO/IEC 27002 that fall within the scope of the exercise.
Form a team and assign responsibilities
Responsibilities are a crucial part of getting ISO certified. Create a team of security and control specialists that can help you choose the right ISO 27002 controls that are relevant to your organization and carry out the unique control requirements. Clearly define a timeline and an action plan for implementation.
Implement new controls
Implement controls and security guidelines outlined in this framework. This is an ongoing effort that takes a significant bulk of time. ISO 27001 and ISO 27002 are typically deployed together, there may be a number of controls that are already implemented. The unique controls, however need to be rolled out from scratch.
Conduct staff training
Once controls are implemented, it’s important to educate your employees of effective management. Ensure your internal teams receive sufficient awareness and role-oriented training and updates so they can carry out their duties efficiently. Areas such as data handling, incident reporting, etc. need to be given special attention since they can impact both certifications.
Document your processes
ISO 27017, like any security framework is heavy on documentation. Create SOPs and take special care to document your business processes and controls along the way. These will not only function as evidence but also as guidelines for repeat certifications.
Conduct an internal audit in tandem with ISO 27001
As mentioned earlier, the ISO 27017 certification happens in tandem with ISO 27001. Therefore, it’s important to conduct a thorough internal audit that assesses both ISMS implementation as well as controls relevant to cloud services. An effective internal audit undergoes three stages of review—documentation, field review (which generates an internal audit assessment report), as well as a management review. The findings from the assessment report need to be implemented and tested before considering a formal external audit.
Undergo an external audit
The first course of action is to notify the auditor of the scope of assessment to include the criteria of ISO/IEC 27017 in addition to ISO 27001. The external certification audit typically happens in two stages. The first stage entails auditing evidence of implementation and sufficiency. The auditor will also thoroughly review documentation of processes, SOPs, and practicies in place as well as the systems that fall within the scope of the ISMS. The auditor then presents an assessment report of the findings which the company is required to act on.
The second phase of the audit takes place within six months of phase one. The auditor evaluates the ISMS on a sample basis to determine if the company’s ISMS is operating within ISO standards. The audit will finally assess the corrective and preventive actions the company has taken mentioned in phase one. They then present a list of observations that highlights major and minor non-conformities as well as opportunities for improvement. Major conformities will have to be addressed and the evidence will need to be shared with the auditor.
Compliance is not a one-time thing. Companies are expected to monitoring their ISMS, conduct regular surveillance audits, and keep their systems updated regularly.
Also Check: The Ultimate Beginner’s Guide To ISO 27001 Policies
Benefits of ISO 27017
ISO 27017 as a framework is designed specifically to help companies that operate largely on the cloud and focus on providing their customers with secure cloud services. The following are a few benefits of implementing the framework:
Standardized cloud security
ISO 27017 is a well-thought-out framework focused on reducing cloud-related risks and ensuring a standardized implementation of cloud-based security measures.
Complements ISMS implementation
ISO 27017 is deployed in tandem with other frameworks within the series. So implementing ISO 27017 ensures that the cloud element of operations complements the organization’s ISMS.
Brings together service providers and customers
ISO 27017 is explicit in the way it defines security roles and responsibilities for customers as well as service providers to ensure a high standard of protection.
Sustained approach to strategy
Implementing ISO 27017 ensures a long-term approach to data security strategy. The standards helps organizations stand out from the competition and enable sustained development.
Save 80% of man hours spent on ISO 27017
Reduced reputational risk
Companies that are ISO 27017 certified are able to greatly mitigate the risk related to data breaches. They are also able to enable better transparency of their cloud operations and build customer trust and strong business relationships.
Challenges of implementing ISO/IEC 27017
As with every framework, implementing ISO 27017 can have some challenges. The following are some of the most common challenges companies may face while doing so:
Changing landscape
The nature of cloud computing is constantly changing. And so, sufficiently interpreting requirements and keeping up to date with the latest threat landscape.
Service provider inconsistency
ISO 27017 heavily hinges on how effectively cloud service providers implement controls and requirements. Customers may face risk exposure if cloud service providers do not consistently apply the standard.
Increased complexity
Since this framework does not have an independent certification, companies will want to deploy it along with complementary standards. But implementing this standard and integrating it with other standards is not straightforward.
ISO 27017 vs ISO 27001: Key differences
Since we’ve mentioned both frameworks, it’s important to clear up the differences between these frameworks. Here are the differences between ISO 27017 and ISO 27001:
ISO/IEC 27017 | ISO/IEC 27001 | |
Purpose and scope | It is an extension of ISO 27001 that deals with cloud security. The code of practice provides guidelines for cloud service providers (CSPs) and cloud customers. | It’s a comprehensive ISMS standard that helps organizations establish, implement, maintain, and improve their ISMS. |
Applicability | It is primarily applicable to CSPs and cloud customers. | It can be applied to any organization irrespective of size, industry, or nature. |
Controls | It includes 7 unique cloud security controls as well as 37 additional controls mentioned in ISO 27002. | It contains 114 controls divided into 14 domains. |
What standards can ISO 27017 be integrated with?
ISO 27017 can be integrated with several other standards and frameworks to improve information security in general and cloud security in particular for organizations. Some of the standards ISO 27017 can be integrated with are:
- ISO/IEC 27001
- ISO/IEC 27002
- Cloud Security Alliance (CSA)
- National Institute of Standards and Technology (NIST)
- General Data Protection Regulation (GDPR)
Get ISO 27017 certified with Sprinto
ISO/IEC 27017 is a less complex framework to implement. However, it can be an incredibly important framework for companies that operate largely on the cloud. With the occurrence of data breaches at an all-time high, companies are under immense pressure to protect data as well as provide their customers with a safe and secure cloud service. And although the framework is simpler to implement, it can pose challenges that can prove cumbersome.
Sprinto is a compliance automation platform that enables organizations to become ISO 27017 compliant without any of the manual work. The platform provides customized guidance and reduces the time to get audit ready by mapping requirements to controls, automating surveillance and checks, and gathering evidence of compliance. In short, it makes quick work of complex requirements and ensures you’re focused on the things that matter.
Ready to get started? Speak to our experts today.
Frequently Asked Questions
What are the domains that ISO/IEC 27017:2015 covers?
ISO/IEC 27017:2015 standard covers key topics such as asset ownership, data segregation, safe storage, disposal of assets post contract termination, alignment of customer and service provider roles, etc. among many others.
What is the difference between ISO 27017 and ISO 27018?
Broadly, the ISO 27017 certification offers guidelines on cloud security and data protection whereas an ISO 27018 certification offers cloud service providers and data controllers guidelines on selecting and implementing data security controls.
Is ISO 27017 part of ISO 27001?
ISO 27017 is a security framework that complements ISO 27001. While ISO 27001 provides guidelines for creating, implementing, and maintaining an ISMS, ISO 27017 offers implemenetation guidelines that apply to cloud security in particular. ISO 27017 is typically deployed as a complementary framework to ISO 27001 and ISO 27002.