ISO/IEC 27017
Qu'est-ce que ISO/IEC 27017 ?
ISO/IEC 27017A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
● Exemples
- 01
A cloud provider's ISO 27017 attestation describes its virtual-machine hardening baseline, customer-isolation controls, and admin-action logging.
- 02
A customer references ISO 27017 control 6.3.1 when documenting its shared-responsibility split with a SaaS vendor for incident response.
● Questions fréquentes
Qu'est-ce que ISO/IEC 27017 ?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers. Cette notion relève de la catégorie Conformité et référentiels en cybersécurité.
Que signifie ISO/IEC 27017 ?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
Comment fonctionne ISO/IEC 27017 ?
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
Comment se défendre contre ISO/IEC 27017 ?
Les défenses contre ISO/IEC 27017 combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de ISO/IEC 27017 ?
Noms alternatifs courants : ISO 27017, Cloud security code of practice.
● Termes liés
- compliance№ 620
ISO/IEC 27001
Norme internationale qui spécifie les exigences d'un Système de Management de la Sécurité de l'Information (SMSI) et permet une certification formelle des organisations.
- compliance№ 621
ISO/IEC 27002
Code international de bonnes pratiques offrant des recommandations détaillées pour les mesures de sécurité listées à l'Annexe A d'ISO/IEC 27001.
- compliance№ 623
ISO/IEC 27018
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
- cloud-security№ 1142
Modèle de responsabilité partagée
Cadre de sécurité cloud qui répartit les tâches de sécurité entre le fournisseur (sécurité du cloud) et le client (sécurité dans le cloud).
- cloud-security№ 210
Sécurité du cloud
Ensemble de politiques, contrôles et technologies qui protègent les données, applications et infrastructures hébergées dans des environnements cloud publics, privés ou hybrides.
- compliance№ 226
Conformité
Discipline visant à respecter les exigences légales, réglementaires, contractuelles et internes de sécurité par des contrôles documentés, des preuves et une évaluation continue.