[ Certification Introduction ]

ISO/IEC 27017:2015 standard implements information security control based on a common understanding between Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs), and is used for certification or assessment of information security management of cloud services.

This international standard provides the following guidelines for both Cloud Service Providers and Customers.

• •  Additional implementation guidelines for relevant controls specified in ISO/IEC 27002
• •  Specific additional control implementation guidelines regarding cloud services

<ISO/IEC 27017 Certification Introduction>

In particular, this standard added new implementation guidelines suitable for cloud services for 35 of The 114 control items of ISO/IEC 27002, and added the following seven items as extended control items specialized for cloud services.

• •  Shared roles and responsibilities within a cloud computing environment
• •  Removal and return of cloud service customer assets upon contract termination
• •  Protection and separation of a customer's virtual environment from environments of other customers
• •  Virtual machine hardening requirements to meet business needs
• •  Procedures for administrative operations of a cloud computing environment
• •  Enabling customers to monitor relevant activities within a cloud computing environment
• •  Alignment of security management for virtual and physical networks

[ ISO/IEC 27017:2015 Requirements ]

Despite the importance of cloud services, it is often confusing who should protect the information that the cloud has between the cloud service providers or cloud service customers. The role of cloud service providers (CSPs) is to mitigate the risk of information security breaches of the cloud, and it is the responsibility of cloud service customers (CSCs) to implement organizational information security controls and processes.

• Scope
• Normative references
• Definitions and abbreviations
• Cloud sector-specific concepts
• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

• Annex A Cloud service extended control set
• Annex B References on information security risk related to cloud computing

[ The importance of ISO/IEC 27017:2015 ]

• 1. It provides cloud service customers (CSCs) with practical information about what has to expect from cloud service providers (CSPs) and explains their roles and responsibilities as cloud service users.
• 2. It helps to understand cloud sharing responsibilities and effectively utilize cloud services.
• 3. When digital evidence or other information needs to be provided in a cloud computing environment, if comply this standard as a framework, can prepare for forensic investigations or other issues, regarding information private.
• 4. Demonstrate that organizational resilience can be built in the cloud and extensive operations.

[ The necessity of ISO/IEC 27017:2015 ]

• •  As cloud service amount provided and usage increases, the need for cloud service-related information protection control guidelines is also increasing.
• •  In the cloud industry, this standard can be utilized to quickly apply information protection control guidelines about cloud service providers and users.
• •  Cloud service control and implementation guidelines can be used for cloud system-based information protection processing.
• •  It can pose a great threat if companies without cloud security systems provide cloud services.

[ The effect of ISO/IEC 27017:2015 ]

• •  By providing customers and stakeholders with the reliability that data and information are protected, they can improve their public image.
• •  It can reduce the risk of unfavorable reputation due to data leakage and protect the brand's reputation.
• •  ISO/IEC 27017:2015 clearly defines roles and responsibilities so that all parties involved can understand their role in protecting organizational information.
• •  Cloud services are rapidly in demand worldwide due to their cost-effectiveness and mobility advantages, and for this reason, the growth of the industry is also high.
• •  It can be protected from legal lawsuits or disputes that hinder business operations.
• •  From a cloud service provider's point of view, can increase user reliability and contribute to improving the level of information protection of providers through objective and fair cloud security certification.