ISO 27017 Cloud Security Assessment

Evaluate cloud security controls per ISO/IEC 27017:2015 for cloud service providers and cloud customers, covering shared responsibility, data protection, and cloud-specific risks

TechnologyHealthcareBiotechFinanceAll20 minutes20 questions

1. Shared Responsibility & Governance

Have you documented the shared responsibility model between cloud provider and customer?*

ISO 27017 Clause 5: Clear delineation of security responsibilities (IaaS/PaaS/SaaS)

Are cloud security policies aligned with organizational risk tolerance?*

Governance: Cloud usage policies, approved services, security baselines

Do you assess cloud provider security certifications (SOC 2, ISO 27001, FedRAMP)?*

Due diligence: Verify cloud provider third-party attestations

2. Cloud Customer Controls

Do you implement cloud asset inventory and configuration management?*

CLD.6.2.1: Track all cloud resources (VMs, storage, databases, APIs)

Are cloud security configurations hardened per CIS Benchmarks or vendor guidance?*

Secure cloud configuration: Disable unnecessary services, enable logging

Do you monitor cloud costs and usage to detect anomalies and waste?*

CLD.6.3.1: Unusual usage may indicate compromise or resource abuse

Are cloud workloads segmented using virtual networks and security groups?*

Network isolation: VPCs, subnets, security groups, NACLs

3. Cloud Provider Controls

Does the cloud provider offer and enable security logging and monitoring?*

CLD.12.4.1: CloudTrail, Azure Monitor, GCP Cloud Logging for audit trails

Does the cloud provider support customer data isolation and multi-tenancy security?*

CLD.12.4.5: Hypervisor security, storage isolation, network segmentation

Are SLAs in place covering availability, performance, and security incident response?*

CLD.6.1.1: Service Level Agreements define expectations and remedies

4. Data Protection & Encryption

Is data encrypted at rest using customer-managed or provider-managed keys?*

CLD.9.2.2: AES-256 encryption with key management (KMS, Key Vault, Cloud KMS)

Is data encrypted in transit using TLS 1.2+ for all cloud communications?*

CLD.9.2.1: Protect data moving between client, cloud, and services

Do you classify data and apply appropriate protection based on sensitivity?*

Data classification: Public, internal, confidential, PHI/PII

Are data backups encrypted and stored in geographically separate regions?*

CLD.12.3.1: Geo-redundant backups protect against regional failures

5. Access Control & Identity

Is multi-factor authentication (MFA) enforced for all cloud console/API access?*

CLD.9.2.4: MFA required for privileged and administrative access

Are IAM policies configured using least privilege principles?*

CLD.9.2.3: Grant minimum permissions necessary for job function

Do you use role-based access control (RBAC) for cloud resource permissions?*

IAM roles: Define permissions by job role, not individual users

6. Incident Management & Continuity

Do you have incident response procedures specific to cloud security events?*

CLD.16.1.5: Cloud IR covers account compromise, data breaches, misconfigurations

Are cloud resources backed up with tested recovery procedures?*

CLD.12.3.1: RPO/RTO defined and validated through DR testing

Is there a process for secure decommissioning and data deletion from cloud?*

CLD.11.2.8: Cryptographic erasure or provider-certified data destruction

Please answer all required questions to see your results