ISO/IEC 27017

ISO/IEC 27017 provides guidelines for information security controls applicable to the use of cloud services by providing an additional implementation guidance for 37 controls specified in ISO/IEC 27002 and 7 additional controls related to cloud services which address the following: • Who is responsible for what between the cloud service provider and the cloud customer. • The removal or return of assets at the end of a contract. • Protection and separation of the customer's virtual environment. • Virtual machine configuration. • Administrative operations and procedures associated with the cloud environment. • Cloud customer monitoring of activity. • Virtual and cloud network environment alignment. ==Structure of the standard==

The official title of the standard is "Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services". ISO/IEC 27017:2015 has eighteen sections, plus a long annex, which cover: :1. Scope :2. Normative References :3. Definitions and abbreviations :4. Cloud sector-specific concepts :5. Information security policies :6. Organization of information security :7. Human resource security :8. Asset management :9. Access control :10. Cryptography :11. Physical and environmental security :12. Operations security :13. Communications security :14. System acquisition, development and maintenance :15. Supplier relationships :16. Information security incident management :17. Information security aspects of business continuity management :18. Compliance ==References==