ISO/IEC 27017
ISO27k-aligned security awareness service

ISO/IEC 27017 — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services (FDIS)


This standard will provide guidance on the information security elements of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and indeed other ISO27k standards including ISO/IEC 27018 on the privacy aspects of cloud computing, ISO/IEC 27031 on business continuity, and ISO/IEC 27036-4 on relationship management, as well as all the other ISO27k standards.

Scope and purpose

The standard will be a code of practice offering additional controls implementation advice beyond that provided in ISO/IEC 27002.

The standard will offer information security advice for both cloud service customers and cloud service providers, offering guidance for both parties side-by-side in each section, for instance section 6.1.1 on information security roles and responsibilities says, in part:


Cloud service customer


Cloud service provider


The cloud service customer should agree with the cloud service provider on an appropriate separation of information security roles and responsibilities and confirm that it can fulfil its allocated roles and responsibilities. The information security roles and responsibilities of both parties should be stated in an agreement. The cloud service customer should identify and manage the customer support and care representative and the cloud service business manager of the cloud service provider.

The cloud service provider should agree and document an appropriate separation of information security roles and responsibilities with its cloud service customers, its cloud service providers and its suppliers.







    Other information for cloud computing

    Ambiguity in the definition of responsibilities related to issues such as data ownership, access control and infrastructure maintenance, may give rise to business or legal disputes, especially when dealing with third parties ...

Normative standards

The standard cites ISO/IEC 27000 and 27002, of course, plus ISO/IEC 17788 (cloud computing overview and vocabulary) and ISO/IEC 17789 (cloud reference architecture). Curiously, ISO/IEC 27001 is noted in the bibliography but is not considered ‘normative’ i.e. essential reading.

Status of the standard

The standard has been developed by ISO/IEC JTC1/SC 27 in collaboration with ITU-T Q8/ SG17 and looks likely to be jointly numbered as both ISO/IEC 27017 and ITU-T Y.3500 (?) with identical text.

The standard is at FDIS stage, nearly 50 pages of comments on the DIS version having been processed. Publication is possible in 2015.

Personal comments

The project has widespread support from national standards bodies plus the Cloud Security Alliance among others.

As an ambitious first edition, it may not be brilliant but will hopefully be useful.

This standard will close a gap in ISO/IEC 27002 section 15 which somehow contrives to cover the information security aspects of supplier relationships without actually mentioning ‘cloud’!

SC 27 decided not to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient. Therefore, there are no plans to certify the security of cloud service providers specifically. They can however be certified compliant with ISO/IEC 27001, like any other organization.

SC 27’s decisions to develop dedicated cloud privacy and cloud relationship management standards in parallel with this one implies that it should exclude both those aspects, referring to those standards instead ... which indeed has happened for privacy but not for relationship management.

Efforts are being made to check the scopes and alignment of the cloud security standards, both within SC 27’s remit and without (e.g. the ISO27k cloud standards should use and not conflict with ISO/IEC 17788 and 17789).

Copyright © 2015 IsecT Ltd.