ISO/IEC 27017:2015 Code of Practice for Information Security Controls
Microsoft cloud services have implemented this Code of Practice for Information Security Controls.
Microsoft and ISO/IEC 27017
ISO/IEC 27017 is unique in providing guidance for both cloud service providers and cloud service customers. It also provides cloud service customers with practical information on what they should expect from cloud service providers. Customers can benefit directly from ISO/IEC 27017 by ensuring they understand the shared responsibilities in the cloud.
Learn about the benefits of ISO/IEC 27017 on the Microsoft Cloud.
Download the ISO/IEC 27017: Code of Practice for Information Security Controls
Microsoft in-scope cloud services
Covered services include:
- Azure, Azure Government and Azure Germany detailed list
- Cloud App Security
- Dynamics 365 detailed list
- Genomics
- Graph
- Intune
- Microsoft Flow cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Office 365, Office 365 U.S. Government, Office 365 U.S. Government Defense and Office 365 Germany
- PowerApps cloud service either as a standalone service or as included in an Office 365 or Dynamics 365 branded plan or suite
- Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
- See a detailed list of covered services in Office 365
Audits, reports and certificates
Microsoft cloud services are audited once a year for the ISO/IEC 27017:2015 code of practice as part of the certification process for ISO/IEC 27001:2013.
ISO-IEC 27017 Overview
The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.
This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002, and provides additional controls to address cloud-specific information security threats and risks referring to clauses 5 to 18 in ISO/IEC 27002: 2013 for controls, implementation guidance, and other information. Specifically, this standard provides guidance on 37 controls in ISO/IEC 27002, and it also features 7 new controls that are not duplicated in ISO/IEC 27002. These new controls address the following important areas:
- Shared roles and responsibilities within a cloud computing environment
- Removal and return of cloud service customer assets upon contract termination
- Protection and separation of a customer’s virtual environment from that of other customers
- Virtual machine hardening requirements to meet business needs
- Procedures for administrative operations of a cloud computing environment
- Enabling customers to monitor relevant activities within a cloud computing environment
- Alignment of security management for virtual and physical networks
Assess your GDPR compliance
Find out if your organization meets personal data protection requirements. Take our quick, interactive 10-question evaluation to assess your readiness to comply with the GDPR today.
