ISO/IEC 27017
Was ist ISO/IEC 27017?
ISO/IEC 27017A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
● Beispiele
- 01
A cloud provider's ISO 27017 attestation describes its virtual-machine hardening baseline, customer-isolation controls, and admin-action logging.
- 02
A customer references ISO 27017 control 6.3.1 when documenting its shared-responsibility split with a SaaS vendor for incident response.
● Häufige Fragen
Was ist ISO/IEC 27017?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers. Es gehört zur Kategorie Compliance und Frameworks der Cybersicherheit.
Was bedeutet ISO/IEC 27017?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
Wie funktioniert ISO/IEC 27017?
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
Wie schützt man sich gegen ISO/IEC 27017?
Schutzmaßnahmen gegen ISO/IEC 27017 kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für ISO/IEC 27017?
Übliche alternative Bezeichnungen: ISO 27017, Cloud security code of practice.
● Verwandte Begriffe
- compliance№ 620
ISO/IEC 27001
Internationaler Standard mit Anforderungen an ein Information Security Management System (ISMS), nach dem Organisationen formal zertifiziert werden können.
- compliance№ 621
ISO/IEC 27002
Internationaler Leitfaden mit detaillierten Empfehlungen zur Umsetzung der Informationssicherheitskontrollen aus Anhang A von ISO/IEC 27001.
- compliance№ 623
ISO/IEC 27018
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
- cloud-security№ 1142
Modell der geteilten Verantwortung
Ein Cloud-Sicherheitsrahmen, der die Sicherheitsaufgaben zwischen dem Cloud-Anbieter (Sicherheit der Cloud) und dem Kunden (Sicherheit in der Cloud) aufteilt.
- cloud-security№ 210
Cloud-Sicherheit
Die Gesamtheit aus Richtlinien, Kontrollen und Technologien, die Daten, Anwendungen und Infrastrukturen in Public-, Private- oder Hybrid-Cloud-Umgebungen schützen.
- compliance№ 226
Compliance
Die Disziplin, gesetzliche, regulatorische, vertragliche und interne Sicherheitsanforderungen durch dokumentierte Kontrollen, Nachweise und laufende Bewertung einzuhalten.