ISO/IEC 27017 — Information technology — Security techniques — Code of practice for information security controls for cloud computing services based on ISO/IEC 27002 (DRAFT)
This standard will provide guidance on the information security elements/aspects of cloud computing, recommending cloud-specific information security controls supplementing those recommended by ISO/IEC 27002 and indeed other ISO27k standards including ISO/IEC 27018 on the privacy aspects of cloud computing, ISO/IEC 27031 on business continuity, and ISO/IEC 27036-4 on relationship management, as well as all the other ISO27k standards covering information security in general.
Scope and purpose
The standard will be a code of practice recommending relevant information security controls for cloud computing, based on and extending those recommended by ISO/IEC 27002.
The decision to progress the cloud privacy and cloud relationship management standards in parallel implies that this standard will exclude those aspects ... but let’s wait and see how it turns out.
The standard will offer information security advice for both cloud service users/consumers/customers and cloud service providers (those terms are not yet decided). The working draft proposes controls for both parties side-by-side in each section. This is therefore an ambitious project with a broad scope covering all stakeholders and all cloud service models.
It is being drafted in collaboration with ITU-T Q8/ SG17.
Status of the standard
The standard is at Working Draft stage. Publication is unlikely until 2015 (the team has requested the publication deadline be rescheduled for October 2015).
Over 200 pages of detailed comments from national bodies are being digested and integrated into the next draft. The comments are generally positive and helpful, but it inevitably takes time to discuss and agree so many through in-person committee meetings [SC 27 is curiously reluctant to adopt collaborative working practices, many of which are cloud based. Perhaps the security risks are too scary?!]
The standard will build on the 2013 version of ISO/IEC 27002, section 15 of which somehow manages to cover the information security aspects of supplier relationships without actually mentioning ‘cloud’!
The project has widespread support from national standards bodies plus the Cloud Security Alliance among others. Seems everyone wants a seat on the cloud bandwagon ...
SC 27 decided NOT to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient. Therefore, there are no plans to certify the security of cloud service providers specifically.