ISO/IEC 27017
ISO27k-aligned security awareness service

ISO/IEC 27017 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT) Updated June 22

Introduction

This standard will provide guidance on the information security elements of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and indeed other ISO27k standards including ISO/IEC 27018 on the privacy aspects of cloud computing, ISO/IEC 27031 on business continuity, and ISO/IEC 27036-4 on relationship management, as well as all the other ISO27k standards.

Scope and purpose

The standard will be a code of practice offering additional controls implementation advice beyond that provided in ISO/IEC 27002.

The standard will offer information security advice for both cloud service customers and cloud service providers, offering guidance for both parties side-by-side in each section e.g. the draft of section 6.1.1 on information security roles and responsibilities says, in part:

 

Cloud service customer

 

Cloud service provider

 

The cloud service customer should review the proposed demarcation of information security responsibilities and confirm it can accept its responsibilities ...

The cloud service provider should define and document the demarcation of responsibilities of cloud service customer, cloud service supplier and its suppliers ...

 

    Other information for cloud computing

    Ambiguity in the definition of responsibilities related to issues such as data ownership, access control and infrastructure maintenance, may give rise to business or legal disputes, especially when dealing with third parties ...

Status of the standard

The standard is being drafted in collaboration with ITU-T Q8/ SG17.

The standard is at CD stage.  Publication is unlikely until 2015.  Nearly 100 pages of comments have been received, about two thirds of which have been accepted.

Personal comments

The project has widespread support from national standards bodies plus the Cloud Security Alliance among others.

This standard will close a gap in ISO/IEC 27002 section 15 which somehow contrives to cover the information security aspects of supplier relationships without actually mentioning ‘cloud’!

The CD1 version stated a number of ‘sector-specific guidance’ comments: is cloud computing a “sector”?  This litle anomaly is presumably a consequence of the move to align sector-specific variants of ISO27k (see ISO/IEC 27009).

SC 27 decided not to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient.  Therefore, there are no plans to certify the security of cloud service providers specifically.

SC 27’s decisions to develop dedicated cloud privacy and cloud relationship management standards in parallel with this one implies that it should exclude both those aspects, referring to those standards instead ... which indeed is happening for privacy but not for relationship management at this point in the drafting: perhaps the cloud relationship standard project never made it off the drawing board?

Copyright © 2014 IsecT Ltd.