ISO/IEC 27017 — Information technology — Security techniques — Security in cloud computing (DRAFT)
This standard will provide guidance on the information security elements/aspects of cloud computing. It will be accompanied by ISO/IEC 27018 covering the privacy aspects of cloud computing.
The standard will recommend, in addition to the information security controls recommended in ISO/IEC 27002, cloud-specific security controls.
The project has widespread support from national bodies plus the Cloud Security Alliance.
Scope and purpose
The standard is expected to be a guideline or code of practice recommending relevant information security controls for cloud computing.
The working title is “Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002”.
The decision to progress a cloud privacy standard in parallel naturally implies that this standard will exclude privacy and the protection of personal data.
Status of the standard
The standard will build on the revised version of ISO/IEC 27002 (work in progress).
The 3rd WD is available to SC27. It mainly provided implementation advice in the cloud computing context for many of the security controls recommended by 27002.
Note: SC27 decided NOT to progress a separate cloud security management system specification standard, judging that ISO/IEC 27001 is sufficient. Therefore, there are no plans to certify the security of cloud suppliers specifically.