Cloud computing has long ceased to be merely a convenient IT infrastructure. For businesses in Kazakhstan, Uzbekistan, Georgia, and Kyrgyzstan, it is already a working environment where customer data, financial documents, CRM systems, corporate email, and even critical business processes are stored. But together with convenience comes the key question: how can you prove to clients and partners that the cloud environment is genuinely secure? This is where ISO 27017 comes to the forefront — a practical guide to protecting cloud services for both providers and Cloud users.
What ISO/IEC 27017:2015 is and why it matters
ISO/IEC 27017:2015 is an international standard that complements ISO/IEC 27001 and focuses specifically on the security of cloud services. While ISO 27001 provides the overall framework for managing information security, ISO 27017 adds specific controls for the cloud model: who is responsible for what, how access should be segregated, how virtual environments should be managed, and how to reduce risks when transferring data to the Cloud.
For businesses, this is particularly important because responsibility in the cloud is always shared. The provider is responsible for part of the infrastructure, while the client is responsible for access settings, users, service configuration, and the way data is handled. In practice, many incidents occur not because of a “cloud breach”, but because one of the parties does not understand its area of responsibility.
That is why cloud computing security standards are becoming not a formality, but a tool for building trust. When a company demonstrates that it uses recognised international approaches to protecting its Cloud environment, it becomes easier to pass partner audits, participate in tenders, and reassure clients that their data is under control.
What issues ISO 27017 addresses
The main value of the standard lies in the fact that it turns the abstract idea of “cloud security” into specific management and technical actions. It helps establish clear rules both for the cloud provider and for the customer organisation.
Before implementing control measures, it is important to understand where the main risks are usually hidden:
- unclear allocation of responsibilities between the provider and the client;
- excessive access rights for employees and contractors;
- weak change control within the cloud infrastructure;
- insufficient protection of virtual machines and administrative panels;
- lack of transparency regarding backup, deletion, and return of data;
- risks of information leakage when using shared cloud resources;
- weak event logging and insufficient monitoring of suspicious activity.
This list clearly illustrates one simple idea: the cloud does not become secure “by default”. It becomes secure when processes, roles, and controls are configured just as carefully as a good autopilot in an aircraft: the system helps, but without crew discipline, it will not get very far.
Control measures for cloud service providers
For providers, ISO/IEC 27017 sets a higher standard of transparency and manageability. Clients want to understand where their data is stored, how their environments are isolated from other tenants, and what happens in the event of an incident.
It is important for the provider to establish clear rules in the following areas:
Segregation of roles and responsibilities
The client should clearly understand which security measures are provided by the provider and which remain on the client’s side. This reduces the risk of false expectations and gaps in protection.
Protection of the virtual environment
The creation, modification, and deletion of virtual machines, containers, and cloud instances must be controlled, and images and templates must be protected against unauthorised changes.
Management of privileged user access
A cloud administrator is rather like a person holding a master key to the entire building. For this reason, the actions of such users must be strictly controlled, logged, and reviewed on a regular basis.
Secure deletion and return of data
At the end of the contract, the client must understand exactly how their data will be returned and how any residual information will be securely removed from the provider’s environment.
Monitoring and incident response
It is important for the provider not merely to record events, but to have a clear procedure for notification, investigation, and interaction with the client in the event of security breaches.
What Cloud users should control
Customer organisations cannot simply “leave everything to the provider” either. Even the strongest provider will not protect a business from weak passwords, uncontrolled allocation of access rights, or employees storing sensitive documents in open folders.
Cloud users should pay attention to the following measures:
Access rights configuration
Access should be granted on the basis of the principle of least privilege. The fewer unnecessary permissions there are, the lower the chance of error or misuse.
Configuration control
Incorrect configuration of storage, networks, APIs, and administrative panels is one of the most common causes of incidents in the Cloud.
Data classification
It is important to determine in advance which data may be stored in the cloud, which requires additional encryption, and which is better kept in isolated environments.
Review of contractual terms
It is essential to analyse the SLA, backup arrangements, data storage locations, incident notification procedures, and the responsibilities of each party.
Staff training
Even the best ISO 27017 standard will not work without people who understand how to use cloud services securely in their day-to-day work.
Once these measures have been implemented, a company gains not just a “security tick-box”, but a clear system for managing risks. For a business, this means fewer disruptions, greater process predictability, and more confidence on the part of clients.
How ISO 27017 Helps Strengthen Customer Trust
When a company works with the cloud, the client is effectively entrusting it not only with a service, but also with their data, reputation, and sometimes even business continuity. That is why trust is built not on promises, but on verified practices.
In this respect, cloud computing security standards serve as a clear international language between the company, the client, and the partner. If an organisation has implemented processes in line with ISO/IEC 27017, this means that issues such as access, monitoring, allocation of responsibilities, and protection of the cloud environment are addressed systematically rather than “as circumstances arise”.
For companies operating in the markets of Central Asia and the Caucasus, this is also a competitive advantage. International clients are increasingly assessing suppliers not only on price, but also on the maturity of their risk management. For this reason, ISO 27017 certification in Kazakhstan and neighbouring countries is becoming increasingly relevant for IT companies, SaaS providers, data centres, fintech projects, and service organisations.
Who particularly needs the ISO 27017 standard
The standard is especially beneficial for those who:
- provide cloud services;
- store personal, financial, or commercially sensitive data in the cloud;
- undergo audits by clients or investors;
- participate in tenders and international projects;
- want to reduce the risks of data breaches, downtime, and claims from customers.
If your company is already developing an information security management system, it is useful to align cloud control measures with the overall security architecture. In this context, it is worth looking at the ISO/IEC 27017 service and assessing how the implementation of the standard can be adapted to your business.
For companies that want to grow, work with major clients, and strengthen their reputation, ISO/IEC 27017 becomes a strong argument in favour of a mature approach to security. And the System Management team across the CIS can help you move through this process more quickly — from understanding the requirements to preparing for certification and strengthening trust in your business.