ISO/IEC 27017
ISO27k-aligned security awareness service

ISO/IEC 27017 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (DRAFT)


This standard will provide guidance on the information security elements of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and indeed other ISO27k standards including ISO/IEC 27018 on the privacy aspects of cloud computing, ISO/IEC 27031 on business continuity, and ISO/IEC 27036-4 on relationship management, as well as all the other ISO27k standards.

Scope and purpose

The standard will be a code of practice offering additional controls implementation advice beyond that provided in ISO/IEC 27002.

The standard will offer information security advice for both cloud service customers and cloud service providers, offering guidance for both parties side-by-side in each section e.g. the draft of section 6.1.1 on information security roles and responsibilities says, in part:


Cloud service customer


Cloud service provider


The cloud service customer should review the proposed demarcation of information security responsibilities and confirm it can accept its responsibilities ...

The cloud service provider should define and document the demarcation of responsibilities of cloud service customer, cloud service supplier and its suppliers ...


    Other information for cloud computing

    Ambiguity in the definition of responsibilities related to issues such as data ownership, access control and infrastructure maintenance, may give rise to business or legal disputes, especially when dealing with third parties ...

Status of the standard

The standard is being drafted in collaboration with ITU-T Q8/ SG17.

The project is at CD stage.  Numerous comments have been submitted on the CD2 version, but the comments are generally editorial rather than technical in nature and most national bodies have approved the draft - in other words the project seems to be going quite well. 

A proposed change of title to “Code of practice for information security controls based on ISO/IEC 27002 for cloud computing services” was rejected by SC 27.

We await results of a vote on the DIS version.  Publication is possible in mid-2015.  As an ambitious first edition, it may not be brilliant, but will hopefully be useful.

Personal comments

The project has widespread support from national standards bodies plus the Cloud Security Alliance among others.

This standard will close a gap in ISO/IEC 27002 section 15 which somehow contrives to cover the information security aspects of supplier relationships without actually mentioning ‘cloud’!

SC 27 decided not to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient.  Therefore, there are no plans to certify the security of cloud service providers specifically.

SC 27’s decisions to develop dedicated cloud privacy and cloud relationship management standards in parallel with this one implies that it should exclude both those aspects, referring to those standards instead ... which indeed is happening for privacy but not for relationship management at this point in the drafting: perhaps the cloud relationship standard project never made it off the drawing board?

Copyright © 2015 IsecT Ltd.