ISO/IEC 27017
ISO/IEC 27017 とは何ですか?
ISO/IEC 27017A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
● 例
- 01
A cloud provider's ISO 27017 attestation describes its virtual-machine hardening baseline, customer-isolation controls, and admin-action logging.
- 02
A customer references ISO 27017 control 6.3.1 when documenting its shared-responsibility split with a SaaS vendor for incident response.
● よくある質問
ISO/IEC 27017 とは何ですか?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers. サイバーセキュリティの コンプライアンスとフレームワーク カテゴリに属します。
ISO/IEC 27017 とはどういう意味ですか?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
ISO/IEC 27017 はどのように機能しますか?
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
ISO/IEC 27017 からどのように防御しますか?
ISO/IEC 27017 に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。
ISO/IEC 27017 の別名は何ですか?
一般的な別名: ISO 27017, Cloud security code of practice。
● 関連用語
- compliance№ 620
ISO/IEC 27001
情報セキュリティマネジメントシステム(ISMS)の要求事項を定める国際規格で、組織は正式な認証を取得できる。
- compliance№ 621
ISO/IEC 27002
ISO/IEC 27001 附属書 A の情報セキュリティ管理策に対する詳細な実装ガイダンスを提供する国際的なベストプラクティス集。
- compliance№ 623
ISO/IEC 27018
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
- cloud-security№ 1142
責任共有モデル
クラウド事業者(クラウドそのもののセキュリティ)と顧客(クラウド上のセキュリティ)で責務を分担する、クラウドセキュリティの基本枠組み。
- cloud-security№ 210
クラウドセキュリティ
パブリック・プライベート・ハイブリッドクラウド環境に置かれたデータ・アプリケーション・インフラを保護するための、ポリシー・統制・技術の総体。
- compliance№ 226
コンプライアンス
法令・規制・契約上の義務、および社内のセキュリティ要件を、文書化された統制・証跡・継続的評価によって満たす取り組み。