Information security controls for cloud services.

ISO 27017:2015 provides guidelines on how to manage information security controls based on ISO/IEC 27002 for cloud services. It is intended for use by both cloud service providers and cloud service users.

ISO/IEC 27002:2013 provides a set of best practice recommendations on information security management. It is intended for use by organizations in any sector.

ISO 27017:2015 and ISO/IEC 27002:2013 are intended for use together to provide a set of best practice recommendations for managing information security risks in cloud computing environments.

ISO 27017:2015 can help cloud service users to:

• Select a cloud service provider that has implemented controls for managing information security risks;
• Confirm that the cloud service provider has implemented a set of controls that has been selected to satisfy a set of information security requirements;
• Confirm that the cloud service provider has implemented the controls in an acceptable manner;
• Confirm that the cloud service provider has implemented the controls in a manner that is effective in the management of information security risks.

ISO 27017:2015 can help cloud service providers to:

• Demonstrate that they have implemented a set of controls for managing information security risks;
• Demonstrate that they have implemented the controls in an acceptable manner;
• Demonstrate that they have implemented the controls in a manner that is effective in the management of information security risks.