ISO 27017 is a standard that guides the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls. It provides information beyond the general advice on security provided by the IEC 27002 in the context of computing.
The ISO 27017 advises both the cloud service customers and cloud service providers with the primary guidance which is given in each of its section. For example, the cloud service customer should agree with the cloud service provider on the allocation of information security roles and responsibilities. Moreover, both parties can state the allocated roles and responsibilities in an agreement.
Even when through the agreement the responsibilities are determined between the parties, the cloud service customer is accountable for the decision to use the service. Furthermore, the standard provides cloud-based guidance on 37 ISO 27002 controls, along with seven new cloud controls that address:
- Determining who is responsible between the cloud customer and service provider
- Once the contract is terminated, the removal of assets that take place
- Virtual machine configuration
- The handling of administrative operations and procedures associated with the cloud environment
- Monitoring the activity of the customer within the cloud
Advantages of ISO 27017 certification
- Legal compliance
- Improved competitive edge
- Reduction in security risks
- Support for data protection requirements
- Meeting customer’s expectations and strengthening their confidence
How does a cloud service customer get the benefit from ISO 27017?
This can help the IT sector and managers and the technical staff to move their organizations and their data to the cloud which can reduce the risks to their business. Moreover, it allows them to make more insightful decisions around their choice of providers.
ISO 27017 and Compliance Mapping Software
The Compliance mapping of any documents and data can be done through the ISO 27017 software which makes it easy for anyone to do this job. As you do not have to visit any office or place for such work and you can upload all the data and get things done on the cloud service.
The basic process starts from the Contractual/Legal process in which you can go to the industry data security standard and from there you can move to the data of different departments and businesses.
If you look at Annex A in the table given on the service, you can then view the code and connect the compliance mapping according to it. Once you will click on the code, you can see the different policies it is offering you, such as access control policy or System security policy.
Moreover, you can go to the Access control and from there you can select business requirements of access control to initiate the process of business compliance. Every access control has different codes and all the codes present in them has different policies and you can you either all or any number of codes for your work.
The service will also allow you to view different kind of vulnerabilities and threats that you can face in any code and you can view them with their complete description. You can even get an overview of the network security policy through our mapping Annex A section. Lastly, you can select your own catalogue for the access policy, vulnerabilities, threats and much more and that too online.