In November 2015, AWS announced it was the first cloud provider to achieve ISO 27017 certification, an internationally-recognized protocol that outlines security standards for the dynamic, fast-growing cloud computing industry.

But what does this new credential mean for AWS customers?

Good News for Customers

Seeking ISO certification reinforces AWS’ commitment to forward-thinking cloud-computing security. It provides added transparency and independent assurance AWS will follow this advanced, world-class code of practice.

AWS customers will be able to use innovative security features including Amazon Inspector, AWS Web Application Firewall (WAF), and AWS Config Rules. These improve a user’s ability to manage security, enhance control, and achieve more comprehensive and transparent compliance. Customers can rely on AWS’ credentials when creating their secure, compliant cloud computing capabilities.

Why is ISO 27017 important?

ISO 27017 is the newest code of practice released by the International Organization of Standardization. It is the first ISO to establish guidelines specific to cloud computing, building on ISO 27002 by providing additional controls for virtual environments. The International Organization of Standardization developed ISO 27017 in response to the European Commission’s appeal for more substantive security regulations to ease customer concerns in Europe and promote the quick adoption of cloud computing across economic sectors.

All AWS Regions and AWS Edge Locations are within the scope of the AWS ISO 27017 assessment. The ISO’s third-party assessor is EY CertifyPoint, a global, independent institute responsible for granting and maintaining ISO certifications.

New Controls to Enhance Cloud Security in ISO 27017

The advanced controls suggested in ISO 27017, which are compatible with those outlined in earlier certifications (ISO 27001 and ISO 27002), provide guidance on:

  • Outlining shared roles and responsibilities within a cloud computing environment
  • Clarifying regulations regarding the segregation of information in virtual computing settings
  • Defining the administrator’s duties in maintaining operational security
  • Charting guidelines for monitoring cloud services
  • Aligning the security management of virtual networks with protocols for physical networks