verified_user
Standardful
首頁chevron_right標準chevron_rightISO/IEC 27017:2015
現行有效國際標準update 標準更新:2015年12月fact_check 事實核查:2026年6月28日

ISO/IEC 27017:2015

資訊技術 安全技術 基於 ISO/IEC 27002 的雲服務資訊安全控制實務指南

apartment發布組織:國際標準化組織 (ISO)

標準簡介

ISO/IEC 27017:2015 是由 國際標準化組織 (ISO) 發布的現行有效標準,常用於科技、服務業、金融銀行、醫療健康等產業,並適用於全球等市場。

本頁整理了 ISO/IEC 27017:2015 的官方文件、目前狀態以及常見相關認證或評估機構,便於快速理解要求與落地路徑。

cloud

Cloud-Specific Controls

Provides 7 additional controls beyond ISO 27002, addressing shared responsibility, virtual machine hardening, customer asset removal, and virtual environment segregation.

handshake

Shared Responsibility Model

Clearly delineates security responsibilities between cloud service providers and cloud service customers — a critical distinction often misunderstood in cloud deployments.

visibility

Customer Monitoring

Requires cloud providers to enable customers to monitor relevant activities within their cloud environment, supporting transparency and compliance verification.

list_alt Key Control Areas

  • Shared roles and responsibilities in cloud environments
  • Virtual machine hardening and isolation requirements
  • Customer asset removal upon contract termination
  • Virtual environment segregation between tenants
  • Cloud administrative operations procedures
  • Customer activity monitoring capabilities
  • Alignment of virtual and physical network security
  • Guidance for both cloud service providers and customers

誰需要合規?

groups

Cloud service providers (IaaS, PaaS, SaaS) and organizations consuming cloud services that need to demonstrate robust cloud security controls. Especially relevant for technology companies, financial services, healthcare, and government agencies.

關鍵要求

1

Responsibility Delineation

Clearly define and document the division of information security responsibilities between the cloud service provider and the cloud service customer. Ensure both parties understand their respective obligations.

2

Virtual Environment Isolation

Implement controls to ensure adequate separation of virtual environments between different cloud service customers. Prevent unauthorized access across tenant boundaries.

3

Asset Management on Termination

Establish and communicate procedures for the return or secure deletion of customer assets, data, and configurations when a cloud service agreement ends or transitions to another provider.

4

Cloud Operations Security

Implement procedures for administrative operations specific to cloud computing environments, including monitoring of cloud resources, logging of cloud-specific events, and hardening of virtual machines.

實施路線圖

1
階段 1schedule 預計週期: 2-4 周

定義雲安全角色

識別雲服務、共享責任邊界、雲服務客戶和提供商義務、租戶、平臺、區域、管理員,以及對 ISO/IEC 27001 和 ISO/IEC 27002 控制的依賴。

2
階段 2schedule 預計週期: 4-8 周

映射雲特定控制

依據 ISO/IEC 27017 指南評估客戶資產處理、虛擬環境保護、管理員操作、租戶隔離、監控、加固、刪除以及提供商與客戶協同的現有控制。

3
階段 3schedule 預計週期: 8-16 周

實施運行證據

更新雲政策、合同、配置基線、IAM、日誌、漏洞管理、事件響應、變更控制、安全刪除和客戶責任文檔。

4
階段 4schedule 預計週期: 持續進行

整合到 ISMS 保證

將雲控制納入 ISO 27001 風險處置、供應商評審、內部審覈、管理評審、服務變更、新區域和客戶保證材料。

合規檢查清單

0 / 12

checklist 雲範圍

checklist 控制實施

checklist 保證

處罰與執行

warning

No direct legal penalties — ISO/IEC 27017 is a voluntary code of practice (not independently certifiable). However, it supplements ISO 27001 certification and is increasingly expected by enterprise customers and regulators evaluating cloud security posture.

常見問題解答

ISO/IEC 27017 涵蓋什麼?

expand_more

ISO/IEC 27017 基於 ISO/IEC 27002,爲雲服務提供商和雲服務客戶提供雲特定實施指南和附加控制。

組織能只認證 ISO 27017 嗎?

expand_more

ISO 27017 通常作爲 ISO 27001 信息安全管理體系的擴展或保證層使用,而不是單獨的管理體系認證。

什麼是共享責任?

expand_more

共享責任定義哪些安全控制由雲提供商負責,哪些仍由客戶負責。ISO 27017 通過合同、文檔和運行控制幫助明確這些邊界。

哪些控制最具雲特性?

expand_more

常見重點包括虛擬環境保護、租戶隔離、管理員操作、監控、客戶資產返還或刪除、雲服務配置,以及提供商與客戶之間的協調。

客戶應如何使用提供商認證?

expand_more

提供商認證是有用的保證證據,但客戶仍需安全配置服務、管理身份、分類數據、監控使用情況並記錄自身責任。

官方文件

查看全部

實施時間線

description
2005年
ISO/IEC 27002 published as the base code of practice
security
2013年
ISO/IEC 27001:2013 establishes ISMS framework for cloud providers
check_circle
2015年12月
ISO/IEC 27017:2015 published with cloud-specific guidance
update
2022年
ISO/IEC 27002:2022 published — updated base control set
cloud
2023年
Major cloud providers (AWS, Azure, GCP) maintain ISO 27017 attestations

相關分類