ISO/IEC 27017 Compliance
Cloud Security Controls and Shared Responsibility
What is ISO/IEC 27017?
ISO/IEC 27017 is an international standard that provides guidelines for information security controls applicable to cloud services. It extends the ISO/IEC 27002 framework by addressing the unique risks and responsibilities of cloud service providers and cloud customers.
Its goal is to ensure secure cloud environments, protect sensitive information, and clearly define shared security responsibilities.
Key ISO/IEC 27017 requirements:
- Shared Responsibilities: Clearly define security roles and responsibilities between cloud providers and customers.
- User Access Management: Control privileged access and enforce strong authentication for cloud resources.
- Cloud-Specific Logging and Monitoring: Ensure that cloud-related activities are logged, monitored, and traceable.
- Virtual Environment Protection: Safeguard virtual machines, containers, and data flows between them.
- Cloud Service Agreements: Define compliance obligations, data protection measures, and audit rights in contracts.
How Visual Guard facilitates ISO/IEC 27017 compliance:
Centralized access management:
Define and enforce access rights for cloud-based applications and services.
Strong authentication and MFA:
Apply MFA and federated identity mechanisms to secure cloud logins.
Cloud activity traceability:
Capture and retain logs of user actions across SaaS, PaaS, and on-premise environments.
Role-based and context-based rules:
Restrict access to sensitive cloud resources based on department, role, or context.
Support for compliance audits:
Provide dashboards and reports to demonstrate adherence to ISO/IEC 27017 controls.
Detailed technical capabilities
Access Control & User Management
- Centralize identity management for cloud users
- Apply role-based and context-based rules (department, tenant, location)
- Enforce segregation of duties (SoD) and least-privilege access in multi-tenant environments
Strong & Federated Authentication
- Enforce MFA (OTP via email, SMS, app, or hardware tokens)
- Support SSO and federated authentication with Entra ID, Active Directory, SAML 2.0, OAuth 2.0, OpenID Connect
Identity Lifecycle Management
- Automate provisioning and de-provisioning of cloud users
- Synchronize identities with Entra ID, AWS IAM, or Google Workspace
Logging & Monitoring
- Generate immutable audit logs of access and administrative actions
- Provide compliance dashboards and exportable audit reports
Cloud-Specific Context Rules
- Adaptive access controls based on tenant, geolocation, device, or time
Use case
Enforcing ISO/IEC 27017 in a SaaS provider
A SaaS provider offering HR and payroll solutions must align with ISO/IEC 27017. It needs to enforce strict access control, secure its multi-tenant platform, and provide full traceability of client data access.
How Visual Guard helped:
- Centralized identity management for thousands of client organizations.
- Enforced MFA for all administrators and privileged users.
- Implemented tenant-based access restrictions to isolate client data.
- Generated compliance reports demonstrating ISO/IEC 27017 adherence.
Result: The SaaS provider secured its cloud platform, reinforced customer trust, and simplified certification by clearly demonstrating compliance with ISO/IEC 27017.