ISO 27017

The Code of practice for information security controls based on ISO/IEC 27002 for cloud Services (ISO 27017) provides guidance on the information security aspects of cloud computing, stipulating practices to be adopted by both cloud service customers and cloud service providers.

It provides recommendations of 37 cloud-specific information security controls supplementing the 114 controls detailed in ISO/IEC 27002 and an additional 7 cloud controls that address the following:

  • Who is responsible for what between the cloud service provider and the cloud customer?
  • The removal/return of assets when a contract is terminated
  • Protection and separation of the customer’s virtual environment
  • Virtual machine configuration
  • Administrative operations and procedures associated with the cloud environment
  • Cloud customer monitoring of activity within the cloud
  • Virtual and cloud network environment alignment

DJL’s approach is fully aligned to the Plan-Do-Check-Act (PDCA) Cyclic Model for ISO standards which is a management system approach to developing, implementing, and improving the effectiveness of the management system.

The four steps of the PDCA

  • Step 1 – Plan:  Establish the objectives and processes necessary to deliver results in accordance with our client’s specifications.
  • Step 2 – Do:  Provide support and guidance for the implementation of the requisite information security processes.
  • Step 3 – Check: Monitor and evaluate the processes and results against objectives and specifications and report the outcome.
  • Step 4 – Act: Apply actions for required improvement. Review all steps (Plan-Do-Check-Act) and modify to improve the management system.