Safety & Risk
Environment & Energy
Good Industry Practices
Introduction to ISO 27017:2015-Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services
World over, organisations are increasingly getting aware of the business value that cloud computing brings and are taking steps towards transition to the cloud. A smooth transition entails a thorough understanding of the benefits as well as challenges involved. One of the key challenges of cloud computing is how it addresses the security and privacy concerns of businesses planning to adopt it and those of cloud service providers (CSPs) implementing it.
The fact that the valuable enterprise data will reside outside the corporate firewall raises serious concerns. Hacking and various cyber-attacks to the cloud infrastructure can have a domino effect and affect multiple clients even if only one site is attacked.
As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore viable security options in order to protect their information systems.
What is ISO 27017?
ISO/IEC 27017 is a standard developed for cloud service providers and users for securing the cloud-based environment and minimising potential risk of a security incident.
ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organisations. This is not only relevant to organisations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information.
This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organisations and their end-users.
The assessment is normally structured in tailor-made steps of verification. The output of this verification process can be made available both internally within the company and publicly. The organisation may also choose to define a boundary for assessment in relation to the core issues of the standard, focusing on the ones that are most crucial to the organisation itself and their business practices
Why is ISO/IEC 27017 Important?
Cloud data security is vital, as clients will want to be sure that their data is safe while stored in the cloud. ISO/IEC 27017 standard allows the organisation to commit to a long-term goal.
The organisation will have an internationally standardised framework to base their Cloud Security. Upon the internalisation of the requirements needed, the organisation will be able to reduce operational and reputation risks and work towards a sustainable future.
The standard extensively covers topics like asset ownership, recovery action if the CSP gets dissolved, disposal of assets with sensitive information, segregation and storage of data, alignment of security management for virtual and physical networks and others.
What benefits it brings to business:
- Develop a long-term strategy;
- Increase transparency;
- Reduce reputation risks;
- Win customer trust;
- Inspires trust in your business;
- Competitive advantage;
- Protects your brand reputation;
- Protects against fines;
ISO 27017: 2017 is applicable to
Cloud service providers and cloud service customers.
Our Consulting approach:
- Gap Analysis: Assessment of existing management system practices against the selected standard requirements.
- Project Plan: Prepare a implementation project plan based on the time lines looking for;
- Orientation Training: Top/Senior Management orientation on selected standard requirements and implementation action plans preparation;
- Developing different levels of documentation ( Tier 1-3/4): Identification of processes required for the products produced and services provided; External and internal issues affecting the business, interested parties needs and expectations, Framing draft quality policy, organizational objectives, role, responsibility and authority, various risks affecting and opportunities arises, functional and system procedures, different implementation formats and checklists;
- System Implementation: Implementation of the selected management system as per the developed documentation;
- Company-wide Training: Training on detailed clause wise requirements and relating them to their departments and Internal audit.
- Internal Audits: Periodic assessment of system implementation and corrective actions.
- Pre assessment: Initial audit by Certifying agency, and, implementation of corrective actions.
- Final Assessment: Certification audit by the Certifying agency and recommendation for certification.