ISO/IEC 27017 — LLMpedia

ISO/IEC 27017
Name	ISO/IEC 27017
Developed by	International Organization for Standardization; International Electrotechnical Commission
First published	2015
Revised	2017
Status	Published

Contents

ISO/IEC 27017 ISO/IEC 27017 is an international technical standard providing guidelines for information security controls applicable to cloud services, published by International Organization for Standardization and International Electrotechnical Commission. It complements existing information security frameworks used by organizations such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, IBM Cloud and guides service providers and cloud customers similar to practices at Deutsche Telekom, Alibaba Cloud and Oracle Cloud Infrastructure. The standard is used alongside management schemes applied by institutions including European Commission, National Institute of Standards and Technology, World Bank and United Nations bodies.

Overview

ISO/IEC 27017 offers sector-specific elaboration of controls originating from international information security norms adopted by authorities like International Organization for Standardization's member bodies and International Electrotechnical Commission technical committees, and aligns with risk management approaches used by Basel Committee on Banking Supervision, Financial Conduct Authority, Monetary Authority of Singapore and Bank for International Settlements. Practitioners from firms such as Accenture, Deloitte, PwC, KPMG and Capgemini reference it when advising enterprises including HSBC, JPMorgan Chase, Goldman Sachs and Siemens on cloud security. Regulators and standards bodies including European Banking Authority, Office of the Comptroller of the Currency and Australian Prudential Regulation Authority consider the guidance when assessing cloud outsourcing.

The standard's scope targets cloud service customer-provider relationships similar to contracts negotiated by Cisco Systems, Salesforce, SAP SE and VMware. Its structure augments the control objectives found in frameworks used by ISO/IEC JTC 1, ISO/IEC 27001, ISO/IEC 27002 and industry schemes followed by Payment Card Industry Security Standards Council and Health Level Seven International. Committees comprising members from British Standards Institution, American National Standards Institute, Standards Australia and Japan Industrial Standards Committee contributed to sections addressing governance, asset management, access control and incident management applied in environments operated by Netflix, Spotify, Airbnb and Uber Technologies.

ISO/IEC 27017 expands on controls for areas such as shared roles, separation of duties and virtualized infrastructure employed by Intel Corporation, Advanced Micro Devices, NVIDIA and ARM Holdings. It provides detailed guidance for data segregation, encryption, key management and logging practices used by RSA Security, Symantec, McAfee and Trend Micro. The standard also prescribes recommendations for customer responsibility profiles, service-level agreements and audit facilitation relevant to procurement by Walmart, Procter & Gamble, General Electric and Toyota Motor Corporation, and incident response coordination akin to exercises conducted by Interpol, Europol and Federal Bureau of Investigation.

ISO/IEC 27017 interoperates with management systems such as the certification model in ISO/IEC 27001 and control catalogues in ISO/IEC 27002, and aligns with sector-specific requirements in standards published by International Telecommunication Union, European Telecommunications Standards Institute, Institute of Electrical and Electronics Engineers and Internet Engineering Task Force. It is often referenced alongside regulatory frameworks like General Data Protection Regulation, Sarbanes-Oxley Act, Gramm–Leach–Bliley Act and guidance from National Institute of Standards and Technology's publications. Industry assurance schemes such as SOC 2, CSA STAR and FedRAMP are frequently mapped to its controls by auditors from Ernst & Young, BDO, Grant Thornton and Crowe Global.

Adoption occurs across multinationals, managed service providers and public agencies including Google LLC, Microsoft Corporation, Amazon.com, Inc., NASA and European Space Agency, and through consultancy engagements with firms like McKinsey & Company and Boston Consulting Group. Implementation projects commonly mirror change programs at Siemens AG, Boeing, Lockheed Martin and Northrop Grumman and incorporate cloud governance models used by Cisco, HP Inc. and Dell Technologies. Training and competence development reference curricula from institutions such as SANS Institute, ISACA, (ISC)² and Coursera when preparing personnel.

While ISO/IEC 27017 itself is a guidance standard and not a certifiable management system independent of ISO/IEC 27001, organizations pursue demonstrable compliance in audit engagements by accredited bodies including UKAS, ANAB, JAS-ANZ and DAkkS. Compliance assessments are integrated into assurance reports produced by PricewaterhouseCoopers, KPMG International, Deloitte Touche Tohmatsu Limited and specialized cloud auditors like CIS and Cloud Security Alliance. Legal and contractual scrutiny involves counsel from firms such as Baker McKenzie, DLA Piper, Skadden, Arps, Slate, Meagher & Flom and Linklaters.

The standard was first published in 2015 and revised in subsequent editions influenced by contributions from national delegations including United Kingdom, United States, Germany, Japan, China and India and corporate stakeholders such as Huawei, Ericsson, Nokia and Siemens. Updates reflect evolving cloud practices driven by platforms and events associated with Serverless computing, Kubernetes adoption led by Google and Cloud Native Computing Foundation, and high-profile incidents investigated by US Department of Homeland Security, ENISA and Office of the Australian Information Commissioner.

Category:Information security standards