ISO/IEC 27017
ISO/IEC 27017 是什么?
ISO/IEC 27017A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
● 示例
- 01
A cloud provider's ISO 27017 attestation describes its virtual-machine hardening baseline, customer-isolation controls, and admin-action logging.
- 02
A customer references ISO 27017 control 6.3.1 when documenting its shared-responsibility split with a SaaS vendor for incident response.
● 常见问题
ISO/IEC 27017 是什么?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers. 它属于网络安全的 合规与框架 分类。
ISO/IEC 27017 是什么意思?
A code of practice that extends ISO/IEC 27002 with cloud-specific information security controls, providing guidance for both cloud service providers and cloud service customers.
ISO/IEC 27017 是如何工作的?
ISO/IEC 27017:2015, 'Code of practice for information security controls based on ISO/IEC 27002 for cloud services,' is the cloud-specific companion to ISO/IEC 27002. It adds seven cloud-only controls — addressing shared roles and responsibilities, removal of cloud service customer assets, segregation in virtualized environments, virtual machine hardening, administrator's operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks — and provides cloud-contextual guidance on the other 27002 controls, written from the perspectives of both cloud provider and customer. ISO 27017 certification is typically pursued alongside ISO 27001 by SaaS, IaaS, and PaaS providers; major hyperscalers (AWS, Azure, GCP) and many SaaS vendors hold it. For customers, ISO 27017 acts as a checklist for cloud-vendor security questionnaires and as guidance on how to delineate shared-responsibility duties.
如何防御 ISO/IEC 27017?
针对 ISO/IEC 27017 的防御通常结合技术控制与运营实践,详见上方完整定义。
ISO/IEC 27017 还有哪些其他名称?
常见的别称包括: ISO 27017, Cloud security code of practice。
● 相关术语
- compliance№ 620
ISO/IEC 27001
信息安全管理体系(ISMS)要求的国际标准,组织可据此通过正式认证。
- compliance№ 621
ISO/IEC 27002
国际信息安全控制实施指南,为 ISO/IEC 27001 附录 A 中列出的控制提供详细实施建议。
- compliance№ 623
ISO/IEC 27018
A code of practice for the protection of personally identifiable information (PII) in public clouds acting as PII processors, layering privacy-specific controls on top of ISO/IEC 27002.
- cloud-security№ 1142
共享责任模型
一种云安全框架,将安全职责划分为云服务商负责的“云本身的安全”与客户负责的“云中工作负载的安全”。
- cloud-security№ 210
云安全
用于保护托管在公有云、私有云或混合云环境中的数据、应用和基础设施的一整套策略、控制措施和技术。
- compliance№ 226
合规
通过文档化控制、证据收集和持续评估,满足法律、监管、合同及内部安全要求的实践。