The ISO 27000 series is a set of important security documents released by the International Organization for Standardization (ISO) to provide a guideline for best practices in IT security management, ISMS development and organizational security and risk management practices. The earlier documents (27001, 27002, etc.) serve as a baseline for this series, and many of the following documents build from that foundation.
Later documents in the series develop guidelines describing more specialized applications. One of these, ISO 27017, address security practices for the expanding area of cloud infrastructure that most of our business operations rely on.
What is ISO 27017, and How Does it Apply to Cloud Services Providers?
To begin with, ISO 27017 builds off of foundational documents, namely 27001 and 27002. These documents outline the extensive security and risk management controls that serve as the backbone of the ISO 27000 series. ISO 27017 serves as a reference for cloud service providers to select controls from ISO 27002, including cloud-specific implementations.
What does this mean for your business? If you are a cloud provider or a managed service provider (MSP), then you might consider the additional layers of security that this standard can provide. Controls outlined in 27072 cover areas that include the following:
- How to handle customer data stored on cloud infrastructure after contract termination
- Providing monitoring services for clients to monitor stored data
- Developing security control configurations to respond to attacks on both physical and virtual networks
- Hardening virtual appliances hosted in the cloud
- Separating and protecting multiple client environments on the same cloud environment
- Roles and responsibilities within the cloud environment
- Policies, procedures and auditing of cloud environment administration
As you may see, some of the key areas that differentiate cloud environments and cloud security are how applications, virtual machines, and always-on cloud environments can open up vulnerabilities for clients and providers overall.
What Are Some Critical Security Controls in ISO 27017?
While ISO 27017 is ostensibly rooted in ISO 27002 (which is a catalog of controls used throughout the 27000 series), it organizes these controls in ways that best serve cloud providers and MSPs.
Some of the major control areas in the ISO 27017 specification include the following:
- Management and Return of Assets: A cloud provider or MSP should include functions that can support client data management on the cloud by both the MSP and the client. Furthermore, there should be a reliable and timely procedure for returning client data upon contract termination. Finally, the MSP should have procedures in place for handling, storing, and (if necessary) disposing of removable media containing client data per ISO 27002 guidelines.
- Access Control: The MSP should have user access controls in place to protect client data and allow access to cloud resources to only authorized clients or employees. Furthermore, the MSP should also readily provide procedures for gaining a password, changing credentials, or authorizing a re-issue of credentials. Finally, The MSP should implement multifactor authentication (MFA) as part of cloud IAM.
- Integrated Applications: The MSP should restrict the use of utility programs that can change system or application settings or controls, if not eliminate such access completely. This includes any integrations that change user settings, source code or other configuration data.
- Compliance and Cryptography: The MSP should include required encryption algorithms and standards as promised to clients and established in contracts or agreements.
- Physical Security: Cloud servers, data centers and local workstations must be secured against breach through measures like locks, key locks, and protections on network cables. Furthermore, policies must be in place to detail these measures.
- Operational Security: MSPs should have complete and comprehensive security controls protecting assets, including malware, audit logging, reporting and documentation, continuous monitoring, network and system segregation backups.
The Importance of ISO 27017 for Managed Service Providers
The value of security certifications can’t be overstated, but since ISO isn’t a required framework for most industries, it could be tempting for you to skip over it. Of course, there are many contexts where providers might best avoid complex compliance requirements. Meeting such certification requirements, however, brings significant benefits for your business.
Some of the reasons that you’d want to meet ISO 27017 certification include:
- Reputation: ISO certification isn’t a light feat, and obtaining certification carries a certain ethos. It tells potential customers that your systems are reliable and secure. Furthermore, having such security controls can prevent breaches that, in the long run, can destroy your standing in your industry.
- Stewardship: The latest breaches from SolarWinds and Colonial Pipelines show how fragile cloud networks can be if not properly secured. More importantly, they show how a breach of a cloud service provider can impact hundreds of businesses and thousands, if not millions, of customers. If you are an MSP, you should secure your systems as best you can.
- Compliance: Not all compliance frameworks are created equal, but some, like ISO, are rigorous enough to translate to or promote certification under other frameworks. The National Institute of Standards and Technology (NIST) provides integration guidelines between key guidelines and ISO requirements, and meeting ISO certification can go a long way towards meeting other compliance demands.
Continuum GRC Automated Compliance Without Sacrificing Security
You may Blanche at the notion of including another set of audits, compliance reviews and monitoring processes, and that decision might keep you from pursuing compliance requirements that could save client information. Continuum GRC can make that decision much easier for you.
If you are a cloud service provider or MSP, we can provide you with automated compliance and certification audits that reduce work times from weeks or months to days. At the same time, we provide critical consulting to ensure that those compliance decisions align with your business so that you don’t sacrifice growth or responsiveness for security.
Are You Ready for ISO 27017 Certification?
Call Continuum GRC at 1-888-896-6207 or complete the form below.