Microsoft secures ISO 27017 security certification around cloud-specific threats

(c)iStock.com/Gajus

Microsoft has announced it has obtained ISO 27017 compliance, a new cloud-based security certification published at the end of last year.

The certification from the ISO, the global organisation which has published more than 21,000 international standards across a variety of industries, is newer and subsequently less known than the ISO 27018 standard, which sets out guidelines to protect personally identifiable information (PII).

Microsoft claimed to be the first adopter of ISO 27018, in February last year, and now, the ISO 27017, which gives additional controls that specifically relate to cloud services, is in Microsoft’s hands, according to an Azure company blog post.

“We are happy to announce Microsoft Azure obtained the ISO/IEC 27017:2015 certification, an international standard that aligns with and complements the ISO/IEC 27002:2013 with an emphasis on cloud-specific threats and risks,” wrote Alice Rison, Microsoft Azure senior director.

The certification is still nascent among cloud providers, yet Amazon Web Services (AWS) secured 27017 compliance as far back as November last year, claiming to be the first to get the green light. “Certifying that we follow yet another best practice won’t come as a surprise; we’ve already proven that information security is job #1 here at AWS,” Jeff Barr, AWS chief evangelist, trumpeted in a blog post at the time.

The need for compliance – and ensuring data stays where it should – by certification with a globally recognised authority needs to be key for both customers and cloud providers. Writing for this publication last month on ISO 27001, a standard launched in 2013 around information security management, Frank Krieger, director of compliance at iland, explained the important questions for organisations to ask; not least that certificates should not be taken at face value.

“Organisations should care a great deal about ISO compliance in the cloud and ensure their partners and providers care as well,” he wrote. “ISO compliance in the cloud doesn’t have to be a nightmare, but you do need to approach the process with the level of rigour that the standard demands.”

You can find out more about the ISO 27017 standard here.

Read more: ISO compliance in the cloud: Why should you care, and what do you need to know?