Information Security Controls for Cloud Services

ISO/IEC 27002 provides generic best-practice controls for information security management.

ISO/IEC 27017 builds on ISO/IEC 27002 by adapting and extending these controls specifically for the cloud, including guidance for both cloud providers and customers. This helps ensure that the unique risks of cloud computing are managed effectively.

Cloud customers benefit from ISO/IEC 27017 by:

• Choosing a provider with independently validated cloud-specific security controls.
• Understanding and verifying shared security responsibilities.
• Enhancing due diligence for regulatory or contractual requirements.
• Gaining assurance about data location, access control, and incident response in the cloud.

For cloud service providers like Exoscale, ISO/IEC 27017 certification:

• Demonstrates commitment to cloud security best practices.
• Builds trust with customers and partners.
• Clarifies roles, responsibilities, and security obligations in cloud service agreements.
• Provides a framework for continuous improvement in cloud security management.

ISO/IEC 27017 addresses the unique security risks and requirements of cloud computing environments that are not fully covered by traditional information security standards.

• Establishes best-practice security controls tailored to the cloud.
• Supports both cloud providers and customers in fulfilling their security obligations.
• Enhances transparency and reduces risk when migrating workloads to the cloud.
• Supports compliance with regulatory, industry, and contractual demands.

Yes. Customers can access our ISO/IEC 27017 certificate and supporting compliance documentation via the Exoscale Compliance Center. Additional audit details are available to customers on request or under NDA.