ISO/IEC 27017
¿Qué es ISO/IEC 27017?
ISO/IEC 27017A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
● Ejemplos
- 01
A cloud provider's ISO 27017 attestation describes its virtual-machine hardening baseline, customer-isolation controls, and admin-action logging.
- 02
A customer references ISO 27017 control 6.3.1 when documenting its shared-responsibility split with a SaaS vendor for incident response.
● Preguntas frecuentes
¿Qué es ISO/IEC 27017?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers. Pertenece a la categoría de Cumplimiento y marcos en ciberseguridad.
¿Qué significa ISO/IEC 27017?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
¿Cómo funciona ISO/IEC 27017?
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
¿Cómo defenderse de ISO/IEC 27017?
Las defensas contra ISO/IEC 27017 combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para ISO/IEC 27017?
Nombres alternativos comunes: ISO 27017, Cloud security code of practice.
● Términos relacionados
- compliance№ 620
ISO/IEC 27001
Norma internacional que establece los requisitos de un Sistema de Gestión de Seguridad de la Información (SGSI) y permite la certificación formal de las organizaciones.
- compliance№ 621
ISO/IEC 27002
Código internacional de buenas prácticas que ofrece orientación detallada para implementar los controles de seguridad listados en el Anexo A de ISO/IEC 27001.
- compliance№ 623
ISO/IEC 27018
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
- cloud-security№ 1142
Modelo de responsabilidad compartida
Marco de seguridad en la nube que reparte las tareas entre el proveedor (seguridad de la nube) y el cliente (seguridad en la nube).
- cloud-security№ 210
Seguridad en la nube
Conjunto de políticas, controles y tecnologías que protegen datos, aplicaciones e infraestructura alojados en nubes públicas, privadas o híbridas.
- compliance№ 226
Cumplimiento normativo
Disciplina que asegura el cumplimiento de requisitos legales, regulatorios, contractuales e internos de seguridad mediante controles documentados, evidencia y evaluación continua.