ISO/IEC 27017:2015 chalks out guidelines for controls specific to information security that would be taken into account during the provisioning and deployment of cloud services. This guideline is relevant for both cloud service providers and the service consumers.
The guidance is provided in 2-types:

  1. When there is separate guidance for cloud service providers and the service consumers
  2. When there is same guidance for cloud service providers and the service consumers


Why is ISO/IEC 27017: 2015 required?

This provides supplementary recommendations for control lists specified in ISO/IEC 27002 which addresses information security threats and risk considerations. The controls are specific to cloud services unlike ISO/IEC 27002 that are intended to mitigate the risks that accompany the technical and operational features of cloud services.

This control list comprises of 14 operational controls right from Management direction for information security to Information security aspects of business continuity management and Compliance.
The additional list of controls include:

Description Controls
Relationship between cloud service customer and cloud service provider Shared roles and responsibilities within a cloud computing environment
Responsibility for assets Removal of cloud service customer assets
Access control of cloud service customer data in shared virtual environment Segregation in virtual computing environments
Virtual machine hardening
Operational procedures and responsibilities Administrator’s operational security
Logging and monitoring Monitoring of Cloud Services
Network security management Alignment of security management for virtual and physical networks


Is Tata Communications ISO/IEC 27017:2015 certified?

Tata Communications has achieved ISO/IEC 27017: 2015 certification of Information Security Management System (ISMS) for the delivery of managed cloud services – IZO Private Cloud and IZO Cloud Storage by GSMC.


ISO/IEC 27017: 2015 in-scope services:

IZO Private Cloud & IZO Cloud Storage In-Scope services
Compute Cloud services, Virtual Services, Auto Scaling
Network VPN Gateway, Load balancer, switches, router, WAF, Firewall, NFV
Storage/ Backup Block, File and ICS (Object) backup
Scheduled data backup and data restoration
Database Managed Oracle, MS-SQL, DB2 or MySQL database administration
Middleware Managed Middleware service is offered on applications including JBOSS; TOMCAT; Apache
Application maintenance
Hypervisor VMware, Hyper-V and KVM
Load balancer Static, Dynamic, Persistence : NFV-Virtual Appliance, Physical Appliance
Security SIEM, DDoS detection & mitigation, firewall monitoring & management, WAF, UTM and network based vUTM – SIGS, Managed and monitoring IDS/IPS, OAuth


Review all of our global compliance programs

Contact us

Contact us to learn how we can help you unleash collaboration, creativity, and commercial innovation.