ISO/IEC 27017 – what is it?

ISO/IEC 27017 is an extension of the ISO/IEC 27000 series of standards that defines additional information security controls for cloud services and environments. The international ISO/IEC 27017 standard specifies the shared responsibility model between the cloud provider and the customer, introducing specific requirements for environment isolation, access management, monitoring, and protection of virtualized infrastructure. The standard complements ISO/IEC 27001 by adapting it to IaaS, PaaS, and SaaS models, where control over infrastructure is distributed among multiple parties.

In practical application, DSTU ISO/IEC 27017 is used as the national version of the standard for implementing security policies in cloud environments in Ukraine. It предусматривает formalization of access management procedures for cloud resources, control of changes within cloud infrastructure, auditing of user activities, and ensuring transparency of provider operations. The use of ISO/IEC 27017 is critical for organizations operating cloud platforms, as it helps reduce risks of data leakage, unauthorized access, and misconfigurations in distributed IT systems.