ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- Additional implementation guidance for relevant controls specified in ISO/IEC 27002
- Additional controls with implementation guidance that specifically relate to cloud services.
This standard provides enhanced controls for cloud service providers and cloud service customers and should be used in conjunction with the ISO/IEC 27001 standards series. By clarifying both party’s roles and responsibilities, it is intended to assist in making the safety and security of cloud services equivalent to other certified information management system.
The standard not only provides guidance on ISO/IEC 27002 security controls, but it also introduces seven new cloud-specific controls. These enhancements address:
- Delineation of responsibilities between the cloud service provider and cloud customer
- Disposition of assets upon contract termination
- Cloud service customer virtual environment protection and isolation
- Virtual machine configuration
- CSP cloud environment administrative operations and procedures
- Cloud customer monitoring of activity within the cloud
- Virtual and cloud network environment alignment