ISO/IEC 27017:2015 chalks out guidelines for controls specific to information
security
that would be taken into account during the provisioning and deployment of cloud services. This
guideline is relevant for both cloud service providers and the service consumers.
The guidance is provided in 2-types:
- When there is separate guidance for cloud service providers and the service consumers
- When there is same guidance for cloud service providers and the service consumers
Why is ISO/IEC 27017: 2015 required?
This provides supplementary recommendations for control lists specified in ISO/IEC 27002 which addresses information security threats and risk considerations. The controls are specific to cloud services unlike ISO/IEC 27002 that are intended to mitigate the risks that accompany the technical and operational features of cloud services.
This control list comprises of 14 operational controls right from Management direction for
information
security to Information security aspects of business continuity management and Compliance.
The additional list of controls include:
| Description | Controls |
| Relationship between cloud service customer and cloud service provider | Shared roles and responsibilities within a cloud computing environment |
| Responsibility for assets | Removal of cloud service customer assets |
| Access control of cloud service customer data in shared virtual environment | Segregation in virtual computing environments Virtual machine hardening |
| Operational procedures and responsibilities | Administrator’s operational security |
| Logging and monitoring | Monitoring of Cloud Services |
| Network security management | Alignment of security management for virtual and physical networks |
Is Tata Communications ISO/IEC 27017:2015 certified?
Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for the delivery of managed cloud services – IZO Private Cloud and IZO Cloud Storage by GSMC.
ISO/IEC 27017: 2015 in-scope services:
| IZO Private Cloud & IZO Cloud Storage | In-Scope services |
| Compute | Cloud services, Virtual Services, Auto Scaling |
| Network | VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV |
| Storage/ Backup | Block, File and ICS (Object) backup Scheduled data backup and data restoration |
| Database | Managed Oracle, MS-SQL, DB2 or MySQL database administration |
| Middleware | Managed Middleware service is offered on
applications
including JBOSS; TOMCAT; Apache Application maintenance |
| Hypervisor | VMware, Hyper-V and KVM |
| Load balancer | Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance |
| Security | SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth |
ABOUT ISO/IEC 27017:2015
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
Contact us
Contact us to learn how we can help you unleash collaboration, creativity, and commercial innovation.