ISO/IEC WD TS 27017

Information technology -- Security techniques -- Information security management - Guidelines on information security controls for the use of cloud computing services based on ISO/IEC 27002

This standard will provide guidance on the information security elements/aspects of cloud computing. It will be accompanied by ISO/IEC 27018 covering the privacy aspects of cloud computing.

The standard will recommend, in addition to the information security controls recommended in ISO/IEC 27002, cloud-specific security controls.

The project has widespread support from national bodies plus the Cloud Security Alliance.

Scope and purpose

The standard is expected to be a guideline or code of practice recommending relevant information security controls for cloud computing.

The decision to progress a cloud privacy standard in parallel naturally implies that this standard will exclude privacy and the protection of personal data.

Status of the standard

The standard will build on the revised version of ISO/IEC 27002 (work in progress).

The second WD is more than 200 pages long, mostly comprising the current working text of ISO/IEC 27002 with changes/additions to suit the cloud computing context.

Note: SC27 decided NOT to progress a separate cloud security management system specification standard, judging that ISO/IEC 27001 is sufficient. Therefore, there are no plans to certify the security of cloud suppliers specifically.