ISO/IEC 27017 — Overview

• Title: Code of practice for information security controls based on ISO/IEC 27002 for cloud services
• Purpose: Provides guidance for both cloud service providers (CSPs) and cloud service customers (CSCs) on implementing information security controls tailored to cloud environments.
• Publication: 2015 (ISO/IEC 27017 is an extension of ISO/IEC 27002 with cloud-specific guidance).

Proper Paid Sources (Secure & Official)

• ISO Store (iso.org) – ~138 CHF
• ANSI (webstore.ansi.org) – ~$194 USD
• BSI Group (bsigroup.com)
• SAI Global

Why You Cannot Get a "Free PDF" of ISO 27017 Legally

ISO standards are commercial publications protected by copyright laws (ISO’s own copyright policy). Unauthorized distribution of PDFs is illegal and can result in penalties. Legitimate free downloads of the full standard do not exist.

Key Controls: What’s Inside the Standard?

If you were to download the ISO 27017 PDF, you would find it builds upon the 114 controls found in ISO 27002. It introduces 37 specific cloud controls, categorized into several domains. Here are a few highlights:

• Shared Responsibilities: Specific controls defining who owns what security tasks.
• Customer Separation: Ensuring that customer data and processing environments are logically segregated from one another.
• Virtual Machine Hardening: Guidelines on securing virtual machines (VMs) against unauthorized access.
• Cloud Interface Security: Securing the APIs and interfaces used to manage the cloud environment.
• Asset Management: How to handle the lifecycle of assets specifically within a virtualized environment.