標準簡介
ISO/IEC 27017:2015 是由 國際標準化組織 (ISO) 發布的現行有效標準,常用於科技、服務業、金融銀行、醫療健康等產業,並適用於全球等市場。
本頁整理了 ISO/IEC 27017:2015 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。
Cloud-Specific Controls
Provides 7 additional controls beyond ISO 27002, addressing shared responsibility, virtual machine hardening, customer asset removal, and virtual environment segregation.
Shared Responsibility Model
Clearly delineates security responsibilities between cloud service providers and cloud service customers — a critical distinction often misunderstood in cloud deployments.
Customer Monitoring
Requires cloud providers to enable customers to monitor relevant activities within their cloud environment, supporting transparency and compliance verification.
list_alt Key Control Areas
- Shared roles and responsibilities in cloud environments
- Virtual machine hardening and isolation requirements
- Customer asset removal upon contract termination
- Virtual environment segregation between tenants
- Cloud administrative operations procedures
- Customer activity monitoring capabilities
- Alignment of virtual and physical network security
- Guidance for both cloud service providers and customers
Who Needs to Comply?
Cloud service providers (IaaS, PaaS, SaaS) and organizations consuming cloud services that need to demonstrate robust cloud security controls. Especially relevant for technology companies, financial services, healthcare, and government agencies.
Key Requirements
Responsibility Delineation
Clearly define and document the division of information security responsibilities between the cloud service provider and the cloud service customer. Ensure both parties understand their respective obligations.
Virtual Environment Isolation
Implement controls to ensure adequate separation of virtual environments between different cloud service customers. Prevent unauthorized access across tenant boundaries.
Asset Management on Termination
Establish and communicate procedures for the return or secure deletion of customer assets, data, and configurations when a cloud service agreement ends or transitions to another provider.
Cloud Operations Security
Implement procedures for administrative operations specific to cloud computing environments, including monitoring of cloud resources, logging of cloud-specific events, and hardening of virtual machines.
Penalties & Enforcement
No direct legal penalties — ISO/IEC 27017 is a voluntary code of practice (not independently certifiable). However, it supplements ISO 27001 certification and is increasingly expected by enterprise customers and regulators evaluating cloud security posture.