ISO/IEC 27017 — Information technology — Security techniques — Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002 (DRAFT)
This standard will provide guidance on the information security elements/aspects of cloud computing, recommending cloud-specific information security controls supplementing those recommended by ISO/IEC 27002 and indeed other ISO27k standards including ISO/IEC 27018 on the privacy aspects of cloud computing, ISO/IEC 27031 on business continuity, and ISO/IEC 27036-4 on relationship management, as well as all the other ISO27k standards covering information security in general.
Scope and purpose
The standard will be a code of practice recommending relevant information security controls for cloud computing, based on and extending those recommended by ISO/IEC 27002.
The standard will build on ISO/IEC 27002, section 15 of which somehow contrives to cover the information security aspects of supplier relationships without actually mentioning ‘cloud’!
The decision to progress the cloud privacy and cloud relationship management standards in parallel implies that this standard will exclude both those aspects ... but let’s wait and see how it turns out.
The standard will offer information security advice for both cloud service customers and cloud service providers, offering guidance for both parties side-by-side in each section.
It is being drafted in collaboration with ITU-T Q8/ SG17.
Status of the standard
The standard is at CD stage. Publication is unlikely until 2015. Nearly 100 pages of comments have been received, about two thirds of which have been accepted.
The project has widespread support from national standards bodies plus the Cloud Security Alliance among others.
The CD1 version states a number of ‘sector-specific guidance’ comments: is cloud computing a “sector”? This litle anomaly is presumably a consequence of the move to align sector-specific variants of ISO27k (see ISO/IEC 27009).
SC 27 decided NOT to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient. Therefore, there are no plans to certify the security of cloud service providers specifically.