1. Home
  2. Moldova standards
  3. STM
  4. St ISO IEC 27017-2015

ISO IEC 27017-2015 PDF

St ISO IEC 27017-2015

Name in English:
St ISO IEC 27017-2015

Name in Russian:
Ст ISO IEC 27017-2015

Description in English:

Original standard ISO IEC 27017-2015 in PDF full version. Additional info + preview on request

Description in Russian:
Оригинальный стандарт ISO IEC 27017-2015 в PDF полная версия. Дополнительная инфо + превью по запросу
Document status:
Active
Format:
Electronic (PDF)
Delivery time (for English version):
1 business day
Delivery time (for Russian version):
365 business days
SKU:
stiso25974
Choose Document Language:
€25

Full title and description

ISO/IEC 27017:2015 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. This code of practice provides cloud-specific implementation guidance and additional controls to help both cloud service providers and cloud service customers manage information security in cloud environments.

Abstract

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by: (1) providing additional implementation guidance for relevant controls specified in ISO/IEC 27002; and (2) specifying additional controls with implementation guidance that specifically relate to cloud services. The guidance is written for both cloud service providers and cloud service customers.

General information

  • Status: Published.
  • Publication date: December 2015 (Edition 1; ISO records the publication as 2015-12).
  • Publisher: International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) — developed by ISO/IEC JTC 1/SC 27 (joint activity with ITU‑T).
  • ICS / categories: 35.030 (IT security).
  • Edition / version: Edition 1 (2015).
  • Number of pages: 30 (ISO publication).

Scope

Provides a code of practice for information security controls specifically tailored to cloud services. The standard supplements the controls and guidance in ISO/IEC 27002 by adding cloud-sector implementation guidance and cloud-specific controls; it is intended to assist both cloud service providers and cloud service customers in selecting and implementing appropriate controls within their risk management and contractual frameworks.

Key topics and requirements

  • Shared responsibility model: clarifies roles and responsibilities between cloud providers and customers.
  • Controls for segregation and protection of customers’ virtual environments (multi-tenancy and virtualization hardening).
  • Asset and data lifecycle: secure return, transfer or deletion of customer assets and data at contract termination.
  • Operational controls and change management for cloud-specific administration and orchestration operations.
  • Monitoring, logging and auditability: enabling customer transparency and evidence of activities where appropriate.
  • Guidance on access control, cryptography and network alignment in virtual/cloud contexts.
  • Contractual and service-level considerations to support secure cloud provisioning and service delivery.

These topic areas reflect the standard’s role as an extension of ISO/IEC 27002 with cloud-specific implementation notes.

Typical use and users

Used by cloud service providers (CSPs), cloud service customers, cloud architects, security and compliance teams, auditors, integrators and procurement specialists to design, evaluate and document cloud security controls and contractual obligations. Organizations commonly adopt ISO/IEC 27017 guidance alongside ISO/IEC 27001/27002 when implementing or assessing cloud-related aspects of an ISMS.

Related standards

Closely related to ISO/IEC 27002 (controls code of practice) and ISO/IEC 27001 (ISMS requirements); also complements cloud-specific standards such as ISO/IEC 27018 (protection of personal data in public clouds) and ISO/IEC 17788 / 17789 (cloud computing — vocabulary and reference architecture). The work was developed jointly with ITU‑T and is dual-numbered as ITU‑T X.1631 (identical content).

Keywords

cloud security, cloud controls, information security, ISO/IEC 27017, ISO/IEC 27002, shared responsibility, virtualization, multi-tenancy, cloud governance, data lifecycle, auditability

FAQ

Q: What is this standard?

A: ISO/IEC 27017:2015 is a code of practice providing cloud-specific guidance and additional information security controls derived from ISO/IEC 27002, intended for both cloud service providers and cloud customers.

Q: What does it cover?

A: It covers implementation guidance for ISO/IEC 27002 controls in cloud contexts plus additional cloud-specific controls addressing shared responsibilities, segregation of environments, virtual machine hardening, asset return/deletion, monitoring and contractual/security lifecycle issues.

Q: Who typically uses it?

A: Cloud service providers, cloud customers, security architects, compliance and procurement teams, auditors and integrators use the standard to guide cloud security design, supplier selection, contractual terms and control implementation.

Q: Is it current or superseded?

A: The published first edition is ISO/IEC 27017:2015 (confirmed current by ISO on review). ISO has recorded review activity and indicates the document is to be revised / a new FDIS has been under development; organizations should check for any newer editions or replacement FDIS when assessing currency.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27000 family of information security standards and is intended to be used in conjunction with ISO/IEC 27001 and ISO/IEC 27002 as cloud-focused guidance.

Q: What are the key keywords?

A: cloud security, cloud controls, shared responsibility, virtualization, multi-tenancy, information security management, ISO/IEC 27002, cloud service provider, cloud customer.