Published: 9 Mar 2018

Richard Green breaks down the history and practicality of ISO/IEC 27017:2015.

Few people outside of the world of computing will be familiar with the name JCR Licklider, an American psychologist and pioneering computer scientist who was working at the Massachusetts Institute of Technology (MIT) in the early 1960s. For those operating within the Information and Communications Technology (ICT) arena, however, he is revered as one of the most significant contributors to the profession, and a worthy inductee into the Internet Hall of Fame.

Licklider was special because he was a visionary. Some 10 years before the advent of the personal computer, he foresaw an ‘intergalactic network’ in which everyone would have access to their own computer which would be capable of accessing data anywhere in the world. The problem was he had no idea how to build such a network, nor how to make it happen, but he was convinced that achieving this was critically important. He then dedicated the remainder of his life to pursuing this goal.

Some 60 years later, Licklider’s dream has become a reality. With the advent of the internet and more recently cloud computing, universal, on-demand access to applications, information and data is now the norm. But with this liberalisation has come new challenges. How can organisations protect their valuable ICT assets from unauthorised access? 

The (extensive) ISO/IEC 27000 series of standards provides assistance. It contains both Information Security Management Systems (ISMS) requirements and guidance intended to reduce an organisation’s information security risk exposure. Of these standards, ISO/IEC 27000, ISO/IEC 27001 and ISO/IEC 27002 are the best known to help reduce an organisation’s security risk exposure. ISO/IEC 27000 provides an ISMS overview and vocabulary, ISO/IEC 27001 ISMS provides requirements, and ISO/IEC 27002 provides best practice recommendations on implementing information security controls. Whilst ISO/IEC ISO 27002 provides sufficient coverage for most organisations, it was felt that additional guidelines were necessary in respect of both cloud services customers and cloud service providers, given the additional risks these parties face as a consequence of operating in cloud environments. In response, ISO/IEC 27017 ‘Code of Practice for information security controls based on ISO/IEC 27002 for cloud services’ was published in December 2015. 

(ISO/IEC 27017) identifies any additional controls and implementation guidance over and above that contained within ISO/IEC 27002

This initial version of the standard was the result of a collaboration between ISO Joint Technical Committee 1’s subcommittee 27 (IT Security Techniques), and the International Telecommunications Union’s Study Group 17 (Security). As a result, the text of ISO/IEC 27017 is also published under the title “ITU-T. X.1631 (07/2015)”.

The structure of ISO/IEC 27017 is aligned with that of ISO/IEC 27002. The standard contains 18 ‘clauses’, two annexes and a bibliography. These clauses cover topics ranging from the setting of information security (IS) policy, through organisational aspects of IS, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, communications security, system acquisition, development and maintenance, supplier relationships, IS incident management, IS business continuity and compliance. ISO/IEC 27017 does not reiterate any existing, applicable objectives and controls contained within ISO/IEC 27002 for these areas, but instead identifies any additional controls and implementation guidance over and above that contained within ISO/IEC 27002, where this is thought necessary for cloud service customers and/or providers.

For those operating in a cloud environment with an existing ISMS in place, my recommendation is that the additional guidance contained within ISO/IEC 27017 is adopted. 

Richard Green, CQP MCQI, is Managing Director of Kingsford Consultancy Services