British Standards Institution (BSI) has introduced certification and training to support the use of ISO/IEC 27017 based on ISO/IEC 27002 for cloud services.
The certification and training may reassure customers who are concerned about the security of cloud services.
The rapid adoption of cloud computing by organisations of all sizes and types challenged the ISO/IEC 27000 series since it mostly dealt with information security within one organisation, yet cloud computing by its nature involves a provider and a customer.
ISO/IEC 27017 provides guidance on information security aspects of cloud computing, recommending and assisting with implementation of cloud-specific information security controls, supplementing the guidance in ISO/IEC 27002 and other standards.
The ISO/IEC 27017 standard promises to
-
address information security management of public cloud services head-on
-
extend the control sets defined in ISO/IEC 27002 to cloud services
-
detail the controls and/or documentation that the provider and customers need to have in place
-
show what information/capabilities must be supplied to the customer by the provider
-
enable the customer to ensure that the cloud services they use meet the information security requirements of the customer and that the cloud services fit into the management processes of the customer.
“ISO/IEC 27017 looks at the roles and IT responsibilities of both the cloud service customer and the cloud service provider when it comes to delivering security controls. Following this guidance can help meet the needs of both parties, but they can receive further support from the ISO/IEC 27017 certification scheme, or training modules, the latter of which look at how to audit ISO/IEC 27017,” said Elaine Munro, head of portfolio management at BSI.