INTERNATIONAL ISO/IEC STANDARD 27017 First edition 2015-12-15 InformationtechnologySecurity techniquesCode of practicefor informationsecuritycontrolsbasedon ISO/lEC27002forcloudservices Technologiesdel'informationTechniquesdesecurite-Codede pratiquepourlescontrolesdesecuritedelinformationfondessur rISO/IEC27002pourlesservicesdunuage Reference number ISO/IEC 27017:2015(E) E ISO ISO/IEC2015 12/25/2015 20:36:40 MS7 ISO/IEC27017:2015(E) COPYRIGHTPROTECTEDDOCUMENT ISO/IEC2015 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Casepostale 56:CH-1211Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland ational Organization for Standardizatio @ISO/IEC2015Allrights reserved se from IHS No reprodu etworking permited witout lic Not for Resale, 22015 2360 MST ISO/IEC27017:2015(E) Foreword Commission) form the specialized system for worldwide standardization. National bodies that are members of established by the respective organization to deal with particular fields of technical activity. ISO and IEC technology,ISO and IEC have establisheda jointtechnical committee,ISO/IEC JTC1. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.Publication as an International Standard requires approvalbyatleast 75 %of thenationalbodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC27017 was prepared by JointTechnical Committee ISO/IECJTC1,Information technology, ITU-T.X.1631 (07/2015). zanonorstddizasonAllrightsreserved ili with IS Not for Resale, 12/25/2015 20:36:40 MS1 mational Organization for Standardization Not for Resale, 12/25/2015 20:36:40 MST Telecommunication International Union ITU-T X.1631 (07/2015) TELECOMMUNICATION STANDARDIZATIONSECTOR OF ITU SERIESX:DATANETWORKS.OPENSYSTEM COMMUNICATIONSANDSECURITY Cloud computing security -Cloud computing security design Informationtechnology-Securitytechniques Codeofpracticeforinformationsecurity controlsbasedonISO/lEC27002forcloud services RecommendationITU-TX.1631 Not for Resale, 12/25/2015 20:36:40 MST ITU-T X-SERIES RECOMMENDATIONS PUBLICDATANETWORKS X.1X.199 OPEN SYSTEMSINTERCONNECTION X.200X.299 INTERWORKINGBETWEENNETWORKS X.300X.399 MESSAGEHANDLING SYSTEMS X.400-X.499 DIRECTORY X.500X.599 OSINETWORKINGANDSYSTEMASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSIAPPLICATIONS X.850X.899 OPENDISTRIBUTEDPROCESSING X.900X.999 INFORMATIONANDNETWORKSECURITY General security aspects X.1000-X.1029 Network security X.1030X.1049 Security management X.1050X.1069 Telebiometrics X.1080X.1099 SECUREAPPLICATIONSAND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120-X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.1170-X.1179 IPTV security X.1180X.1199 CYBERSPACESECURITY Cybersecurity X.1200-X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECUREAPPLICATIONS ANDSERVICES Emergencycommunications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 PKI related Recommendations X.1340X.1349 CYBERSECURITYINFORMATIONEXCHANGE Overview of cybersecurity X.1500X.1519 Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550-X.1559 Heuristics and information request X.1560-X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 CLOUDCOMPUTING SECURITY Overview of cloud computing security X.1600-X.1601 Cloud computing security design X.1602-X.1639 Cloud computing security best practices and guidelines X.1640-X.1659 Cloud computing security implementation X.1660-X.1679 Other cloud computing security X.1680-X.1699 For fiurther details, please refer to the list of ITU-T Recommendations. ational Organization for Standardizatio se ftrom IHS Nt for Resale, 1225/2015 2036:40 MST INTERNATIONALSTANDARDISO/IEC27017 RECOMMENDATIONITU-TX.1631 Informationtechnology-