ISO IEC 27017:2015 download.Information technology — Security techniques — Code of practice for information security controls based on ISOIIEC 27002 for cloud services.
I Scope
This R .mndation Iniua.ticiaial Standard ‘ives guidelines for mktni,on secunty controls applicthlt to die pantWon and inc o(ckiud acmlcen by prinidi:
– additional orilcnarntaucn guiiicc for iclcid controls apecificd in ISO4EC 27002;
– additional controls with lcmcntaiiou guidance lh specifically rebte to cloud services
This Reco eiidatlee I aauanal Standard provides controls mid imp mentaOon guidance for bath doud service piovitki and cloud service ctnlonlcn.
2 Normathe rcference
The following Rccamrncndatiana and Intcrnntml Standards contain provisions wlsicb. tiwoun) in this lcxt. cunstititte provisions of thu. Rcsunmendatiots I International Standard As the time at psibhcmioa. the erhisana indicated wuc valid. AU Recomnien,btioas and Standards c aulseci in revision, and parties in açeenantls baned on this Rccommcndaa I International Standard art aicosiragod to investigate the possibility of appting the onat rSccnt edition of die Reconwncndaharsi and Staiwlards listod below Mcmbcrs of 1F and ISO maintain registers of canTently valid Sheds. The TCICCCIIUISUIIICSIIIaS s disansi, of the ITt) maintaim a list of currently valid ITU.T Rncendatuns.
2.1 Identical kecommendatloma I I.ter.atlo.aI Standards
– Itccaaoncndaboc ITU.T V3500 4m (revel ISOIIEC 17185: un force). i)liriwatau, ec*ncjos – Cloud con ymtiag— Otervkw ond wbn
– Reconanendaticu lTti.T Y3302 ho (revel I ISOILEC 17759 m forte), J.Jora*uhan seckao(rsjp – Cloud cvaipntia – R rriue archamrnwr.
2.2 AdditIonil References
– ISCWIEC 27000 (in fixed, L’eilim.aliaa wribnokis – Scewift srtheiqua – l*fcdw.atdoe srrawiA mouslgrnarnl evesems – Oterview anti wrceb.dary.
— ISOIIEL 270022013. liefswwearion Irrnokij — Srewrin rhaiqswx — Code of prrsctlcvfrr inlóew.JIWR fttWlI5 cOiibXdS.
3 I)cflnitlous and abbreIatloaa
3. Terms defined elsewhere
For the qeIacs of this Rarommendation Inimnatiorarl Standard, the teens and dcf.mttiant gwen rn ISOIEC 21000. Rec. IT1J.T Y.3) I IS(’LEC 17785. Rec. tTLJ.T Y3502 I IS.OJIEC 17789 and the following definiticssa apply:
3.1.1 The frllorniig mm is defined in ISO 19440:
– capidIIIy: Quntity of being able in perform a gwen activity.
3.1.2 The fnllen terms are dehined in ISOWIEC 27040
– data branch Carspiomise a(aecurity that leads in die accidental or unlawful deatnichan. loin, alteration. hinged d*sdoswc of. or accear In protected data ronwn4 mtatntL or odmuwise prnceaacd.
— aremuc mnld4r.anc) Type of naIlti4ciuncy dart cnlays security controls to explicitly pmud againis data hrachcs and provider validation o(dieae controls fur proper governance.
NOTE I – Secure .snkiitei,anicy rainds when the flik profile of individual teisid is an grcu thin, it wouM hr ins raagle..cnait vsIoimiamL
NOTE 2—I. vary muare em. the identity of dsc menls is kept isero.
3.13 ilic following usm is dcfincd in 1S(IEC 17203:
— ,irtsI machine- The complete environment that supports thc cseclaion olgucat software,
NOTh – A simsal .nd,mc is a full of die vutual hdswe. sulual disks. and the … associated with Yield nnchüws allow aultipksasg of die ..skrtylag p*iuca1 madinc Ihiough a software la.vr ceded a
3.2 Abreiiations
Foe the pwposes of this Recommendation I International Stanibrd. the following abbressaaactw upply:
tins lnfrsaiructiuc as a Setvice
I°S Platform as a Scrsicc
PH Personally Identifiable lrifonnation
SasS Software ass Service
SLA Service Level Al
Virtual Macline
4 (‘loud sector-specific concepts
4.1 Osersiew
The use of cloud conuting bar chengod how orpmzatios should asaem and mitigote itskemntioa messily risks became of die signelicars changes ta how eoqniting lesowess arc Iccialcaily designed. operated and governed. This Recommendation I lntcniauonal Standard provides additional doud-upecilk tnplcmei*alion guidance based on lSQIEC 27002 and provides additional controls to address cloud.içccific micenartlim security tiucab and nab ounuderibons
Users Of this Recosnmcascbtion International Standard should rcftr to clauses 5 to IX in ISO/IEC 27002 for controls. upplemelitatian guidance and othu mfonn.lion Became of tlse germal qdicabality of IS(VIIC 27002, many of the controls. mkinenlaiian guidance and othe, us(anintioo apply to both the gractal said cloud ainunng anitexb of an onganuaiian. Foi ezatuple. ‘6.12 Segregation o(dittiin o(ISiIkC 27002 provides a control dsst can be applied whether the organization i acting as a cloud scnice piovida’ or not Additionally, a cloud soviet customer can derive requirements for segreptioss of duties in the cloud cmwuwneiit (toen the same cocttol. eg segregating the cloud service containers’ cloud acrvet athninotrntews and cloud service users.
As an cxtcasion to IS(WIEC 27002. ISO IEC 27017 fi*thu provider cloud suvioe ,ecific controls. itopicinciustion guidance and other infortn.tion (ace clause 4.5) tint me iniedcd to mitigate the risks tInt acconnny the ieclwiicai and operational features of’ cloud services (see Aitnes H). The cloud service cintomers and the cloud service providers can refer to lSOitIiC 27002 and ties Rcconwnciidabon Liitaunahanal Slanihed to select controls with the inlemonlalnn giallanec. said add other controls if neconasy. ills pioceas can be done by perfonning
iabwmmon security risk assessment and risk tecammit in the orgamzation.I and business coailcst where cloud services arc used ot provided (see clause 4.4).
4.2 Supplier relationships In cloud services
ISO/LEC 27002 elaine IS Si.ppbcr mu onships’ provides controls. in lamentation guidance and other information for tusisaging information security a saçphcr relationships. The provision and use of cloud services is a kind of supplier rebetotsaliep. wherc die cloud service customcr is an acquirer, said the cloud ann-icc provider is a upplier. TlwMbre. the clause applies to cloud service cwions and cloud service providers.
Cloud service customers and ck,ssl service providers can also fonna supply chain Suppose tli a cloud service piovider provides an mbsatnictinc capebilitics tpc soviet. in addition, another cloud service providu can provide an appbcation capabilities type wevice. In this cme. the second cloud service provider isa cloud service ctnsomoe with respect to the fIrst, and a cloud service provider with respect In the cloud nice cintoiner using its service. This example dlusttates the case where this R4cosnniemlatian International Statdanl applier In an organissison both sea cloud service cusinnief and us cloud service provider. Because cloud service Customers and cloud service providers form a supply chain through usc deign and itnplenrntation of the cloud service(s), clause 95.13 lnfcwnamon and comanulucation ucciniology supply dssin of lSEC 27002 applies,
The multi-part Interninomal Standard ISOflEC’ 27036, ‘lsfrimatiou snwfl yforsu 1ufl4u15k4w’. provides detailed guidance on the intlienwison security in supplier rclatioisilitps to the acqtirer and supplier of products and services.
4.3 Relationships between cloud service customers and cloud service providers
In the cloud computing environment, cloud service customer data is stored, transmitted and processed by a cloud servicc.
Therefore, a cloud service customer’s business processes can depend upon the information security of the cloud service.
Without sufficicnt control over the cloud service, the cloud service customer might need to takc extra precautions with
its information security practices.
Before entering into a supplier relationship, the cloud service customer needs to select a cloud service, taking into account the possible gaps between the cloud scrvicc customer’s information security rcquircmcnts and the information security capabilities offered by the service. Once a cloud service is selected, the cloud service customer should manage the use of the cloud service in such a way as to meet its information security requirements. In this relationship, the cloud service provider should provide the information and technical support that arc necessary to meet the cloud service customer’s information security requirements. When the information security controls provided by the cloud service provider are preset and cannot be changed by the cloud service customer, the cloud service customer may need to implement additional controls of its own to mitigate risks.
4.4 Managing information security risks in cloud services
Cloud service customers and cloud service providers should both have information security risk management processes in place. They arc advised to refer to ISO/IEC 27001 for the requirements to conduct risk management in their information security management systems, and to refer to ISOIIEC 27005 for further guidance on information security risk management itself. ISO 31000, to which ISOIIEC 27001 and ISO/IEC 27005 conform, can also help general understanding of risk management.
In contrast to the general applicability of the information security risk managcment processes. cloud computing has its own types of risk sources, including threats and vulnerabilitics, which are derived from its features, e.g., networking. scalability and elasticity of the system, resource sharing, self-service provisioning, administration on-demand. cross.jurisdictional service provisioning, and limited visibility into the implcmcntation of controls. Annex B provides references that give information on these risk sources and associated risks in the provision and use of cloud services.
11 Phaacal and enironmeahil necurity
11.1 Secure arena
Thy ebjecinc ipccificd in clinic 11.1 of ISO IEC 27002 qIhca.
I 1.1.1 Phy*al iec.di petimetee
Ccntml ii .1.1 and tSr maaci implcinrnlataac gwdance and odarr mfarianiian rci6cd in iSCWIEL 27002 Iy.
11.1.2 PbdcaI entry cantr
Cacirol 11.1.2 and the meocicd anplcm ulatium guidance and othet inlSrmicioc ipecifted in ISOIIEC 27002 ipiy.
11.1.3 Securlig omccs. r.cia, aid facilities
Cciitrul 11.13 and the w.iociaind implemcnhatMin gindance and other mfawniainui apecifeed in 1SCWIEC 2l002pIy.
11.14 rntecting against riter.aI and ensirunmenfal thrents
Control 11.1.4 and the maociaicd unpkmcilatioc guidance and other infruniation ecificd in iS(MEC 27002 aççly.
11.13 Warking in secure areas
Control 11.15 and the msocialcd miplemeciation guidance and other lifrwin.non ecif.cd in ISOIIEC 27002 iply.
11.1.6 l)eIier and kmdinig area,
Control 11.1.6 and the anaocnicd implementation guidance and other information ipeciflcd in 1S(MEC 27002 ply.
11.2 I.qulpmeni
The objcsimse ipecified melanie 11.2 of ISCWWC 27002 applies
11.2.1 Iqwp.aent siting and pr.tectiun
Control I Ill and the maociatcd imnplcmenhahon guidance and intact infrmmeion apccificd m 1S(mEC 27002 apply.
11.2.2 S.pporllag uduiAks
Control 11.2.2 and the maociaicd unplcmcnmtiom guidance and odier information qmecthrd in iS(YIEC 27OO2y,
11.23 CablIng secant
Control 11.2.3 and thc asancm,icd in mectatiac gsudance and other information apccificd in ISO/IF.C 27002 apply.
11.2.4 Iqilpancnt mal.ienance
Control 11.2.4 and the a,socmatcd implemenlation guidance and other information specified ma ISO/fEC 21OO2,cy.
11.23 Itemosal .1 asset;
Control 11.23 and the associated insplemncailatson guidance and other Uknanthm specified in ISO/fEC 27002 apply.
11.2.6 Security of equipment and assets off.premiwu
Control 11.2.6 and the maociated imoplememuation guidance and other isknintion specified in ISO/fEC 27002 apply.
11.2.7 Secure disp..ai or reese of eqeipumat
Control 11.2.7 and the astocialed inkmciiLalion guidance and other infonimabon specified in ISO/fEC 27002 apply. The following aeclor-apecific guidance alao applici.