标准简介
ISO/IEC 27017:2015 是由 国际标准化组织 (ISO) 发布的有效标准,常用于科技、服务业、金融银行、医疗健康等行业,并适用于全球等市场。
本页汇总了 ISO/IEC 27017:2015 的官方文档、当前状态以及常见相关认证或评估机构,便于快速理解要求与落地路径。
Cloud-Specific Controls
Provides 7 additional controls beyond ISO 27002, addressing shared responsibility, virtual machine hardening, customer asset removal, and virtual environment segregation.
Shared Responsibility Model
Clearly delineates security responsibilities between cloud service providers and cloud service customers — a critical distinction often misunderstood in cloud deployments.
Customer Monitoring
Requires cloud providers to enable customers to monitor relevant activities within their cloud environment, supporting transparency and compliance verification.
list_alt Key Control Areas
- Shared roles and responsibilities in cloud environments
- Virtual machine hardening and isolation requirements
- Customer asset removal upon contract termination
- Virtual environment segregation between tenants
- Cloud administrative operations procedures
- Customer activity monitoring capabilities
- Alignment of virtual and physical network security
- Guidance for both cloud service providers and customers
谁需要合规?
Cloud service providers (IaaS, PaaS, SaaS) and organizations consuming cloud services that need to demonstrate robust cloud security controls. Especially relevant for technology companies, financial services, healthcare, and government agencies.
关键要求
Responsibility Delineation
Clearly define and document the division of information security responsibilities between the cloud service provider and the cloud service customer. Ensure both parties understand their respective obligations.
Virtual Environment Isolation
Implement controls to ensure adequate separation of virtual environments between different cloud service customers. Prevent unauthorized access across tenant boundaries.
Asset Management on Termination
Establish and communicate procedures for the return or secure deletion of customer assets, data, and configurations when a cloud service agreement ends or transitions to another provider.
Cloud Operations Security
Implement procedures for administrative operations specific to cloud computing environments, including monitoring of cloud resources, logging of cloud-specific events, and hardening of virtual machines.
实施路线图
定义云安全角色
识别云服务、共享责任边界、云服务客户和提供商义务、租户、平台、区域、管理员,以及对 ISO/IEC 27001 和 ISO/IEC 27002 控制的依赖。
映射云特定控制
依据 ISO/IEC 27017 指南评估客户资产处理、虚拟环境保护、管理员操作、租户隔离、监控、加固、删除以及提供商与客户协同的现有控制。
实施运行证据
更新云政策、合同、配置基线、IAM、日志、漏洞管理、事件响应、变更控制、安全删除和客户责任文档。
整合到 ISMS 保证
将云控制纳入 ISO 27001 风险处置、供应商评审、内部审核、管理评审、服务变更、新区域和客户保证材料。
合规检查清单
checklist 云范围
checklist 控制实施
checklist 保证
处罚与执行
No direct legal penalties — ISO/IEC 27017 is a voluntary code of practice (not independently certifiable). However, it supplements ISO 27001 certification and is increasingly expected by enterprise customers and regulators evaluating cloud security posture.
常见问题解答
ISO/IEC 27017 涵盖什么?
expand_more
ISO/IEC 27017 基于 ISO/IEC 27002,为云服务提供商和云服务客户提供云特定实施指南和附加控制。
组织能只认证 ISO 27017 吗?
expand_more
ISO 27017 通常作为 ISO 27001 信息安全管理体系的扩展或保证层使用,而不是单独的管理体系认证。
什么是共享责任?
expand_more
共享责任定义哪些安全控制由云提供商负责,哪些仍由客户负责。ISO 27017 通过合同、文档和运行控制帮助明确这些边界。
哪些控制最具云特性?
expand_more
常见重点包括虚拟环境保护、租户隔离、管理员操作、监控、客户资产返还或删除、云服务配置,以及提供商与客户之间的协调。
客户应如何使用提供商认证?
expand_more
提供商认证是有用的保证证据,但客户仍需安全配置服务、管理身份、分类数据、监控使用情况并记录自身责任。