ISO/IEC 27017:2015 chalks out guidelines for controls specific to information
that would be taken into account during the provisioning and deployment of cloud services. This
guideline is relevant for both cloud service providers and the service consumers.
The guidance is provided in 2-types:
This provides supplementary recommendations for control lists specified in ISO/IEC 27002 which addresses information security threats and risk considerations. The controls are specific to cloud services unlike ISO/IEC 27002 that are intended to mitigate the risks that accompany the technical and operational features of cloud services.
This control list comprises of 14 operational controls right from Management direction for
security to Information security aspects of business continuity management and Compliance.
The additional list of controls include:
|Relationship between cloud service customer and cloud service provider||Shared roles and responsibilities within a cloud computing environment|
|Responsibility for assets||Removal of cloud service customer assets|
|Access control of cloud service customer data in shared virtual environment||Segregation in virtual computing environments
Virtual machine hardening
|Operational procedures and responsibilities||Administrator’s operational security|
|Logging and monitoring||Monitoring of Cloud Services|
|Network security management||Alignment of security management for virtual and physical networks|
Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for the delivery of managed cloud services – IZO Private Cloud and IZO Cloud Storage by GSMC.
|IZO Private Cloud & IZO Cloud Storage||In-Scope services|
|Compute||Cloud services, Virtual Services, Auto Scaling|
|Network||VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV|
|Storage/ Backup||Block, File and ICS (Object) backup
Scheduled data backup and data restoration
|Database||Managed Oracle, MS-SQL, DB2 or MySQL database administration|
|Middleware||Managed Middleware service is offered on
including JBOSS; TOMCAT; Apache
|Hypervisor||VMware, Hyper-V and KVM|
|Load balancer||Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance|
|Security||SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth|