ISO/IEC 27017:2015
ISO/IEC 27017:2015 chalks out guidelines for controls specific to information security that would be taken into account during the provisioning and deployment of cloud services. This guideline is relevant for both cloud service providers and the service consumers.
The guidance is provided in 2-types:
- When there is separate guidance for cloud service providers and the service consumers
- When there is same guidance for cloud service providers and the service consumers
Why is ISO/IEC 27017: 2015 required?
This provides supplementary recommendations for control lists specified in ISO/IEC 27002 which addresses information security threats and risk considerations. The controls are specific to cloud services unlike ISO/IEC 27002 that are intended to mitigate the risks that accompany the technical and operational features of cloud services.
This control list comprises of 14 operational controls right from Management direction for information security to Information security aspects of business continuity management and Compliance.
The additional list of controls include:
| Description | Controls |
| Relationship between cloud service customer and cloud service provider | Shared roles and responsibilities within a cloud computing environment |
| Responsibility for assets | Removal of cloud service customer assets |
| Access control of cloud service customer data in shared virtual environment | Segregation in virtual computing environments Virtual machine hardening |
| Operational procedures and responsibilities | Administrator’s operational security |
| Logging and monitoring | Monitoring of Cloud Services |
| Network security management | Alignment of security management for virtual and physical networks |
Is Tata Communications ISO/IEC 27017:2015 certified?
Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for the delivery of managed cloud services – Tata Communications Vayu Cloud and Tata Communication Vayu Cloud Storage by GSMC.
ISO/IEC 27017: 2015 in-scope services:
| Tata Communications Vayu Cloud & Tata Communication Vayu Cloud Storage | In-Scope services |
| Compute | Cloud services, Virtual Services, Auto Scaling |
| Network | VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV |
| Storage/ Backup | Block, File and ICS (Object) backup Scheduled data backup and data restoration |
| Database | Managed Oracle, MS-SQL, DB2 or MySQL database administration |
| Middleware | Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache Application maintenance |
| Hypervisor | VMware, Hyper-V and KVM |
| Load balancer | Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance |
| Security | SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth |
ABOUT ISO/IEC 27017:2015
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
Other certifications
We offer a wealth of experience and a wide portfolio of products designed to help your business grow. Discover more exciting opportunities and create a truly bespoke solution.
Frequently asked questions
What is the ISO/IEC 27017:2015 standard?
The ISO/IEC 27017:2015 standard provides cloud-specific information security controls for both cloud service providers and customers. Unlike general security frameworks, ISO IEC 27017 2015 focuses on risks unique to cloud environments, offering guidance on shared responsibilities, virtualisation security, monitoring, network protection, and secure cloud operations.
How does Tata Communications achieve ISO/IEC 27017:2015 certification for its cloud services?
Tata Communications meets ISO IEC 27017 2015 requirements by implementing cloud-specific security controls across Vayu Cloud and Vayu Cloud Storage. This includes strong virtualisation security, network protection, access controls, logging, monitoring, and well-defined provider customer responsibilities. Our ISMS is audited to ensure full alignment with the standard’s cloud security guidelines.
How does ISO/IEC 27017:2015 complement ISO/IEC 27001:2013?
ISO/IEC 27017:2015 enhances the broader ISO/IEC 27001 framework by adding cloud-specific security recommendations. While ISO/IEC 27001 establishes the foundation for an Information Security Management System, ISO IEC 27017 2015 addresses risks related to virtual machines, cloud networking, shared environments, and cloud provider customer responsibilities, strengthening overall cloud security.
What is the difference between ISO 27001 and ISO 27017?
ISO/IEC 27001 sets the general security requirements for an organisation’s ISMS, while iso 27017 2015 provides additional guidance tailored specifically for cloud environments. ISO 27001 covers overall risk management and security governance, whereas ISO 27017 focuses on cloud-specific controls such as virtualisation, cloud access, and secure cloud operations.
How does Tata Communications achieve ISO/IEC 27017:2015 certification for its cloud services?
Tata Communications obtains ISO IEC 27017 2015 certification by applying cloud-specific controls across compute, storage, network, security, middleware, and virtualisation layers. Independent audits verify that we meet ISO/IEC 27017 guidelines for cloud operations, customer data protection, monitoring, isolation in virtual environments, and secure cloud service delivery.
What benefits do enterprises gain from Tata Communications’ ISO/IEC 27017:2015-certified cloud services?
Enterprises benefit from enhanced trust, stronger cloud-specific security controls, and clear shared-responsibility guidelines through ISO 27017 2015 certification. Tata Communications’ certified services provide improved virtualisation security, monitoring, secure access, and robust governance, helping organisations reduce cloud risks, maintain compliance, and operate confidently in regulated or sensitive environments.
What’s next?
Experience our solutions
Engage with interactive demos, insightful surveys, and calculators to uncover how our solutions fit your needs.
Exclusively for You
Stay updated on our Cloud Fabric and other platforms and solutions.
Disclaimer: IZO™ Cloud is now Tata Communications Vayu Cloud. TATA COMMUNICATIONS VAYU branded services are available in India only.