An Update On Canada’s Role in ISO 27017

The International Organization for Standardization (ISO) is working on developing a set of global guidelines for cloud computing environments. The new standard, ISO 27017, is set to include information security controls to protect cloud providers and customers.

At the helm of these standards is the Canadian Chapter of the Cloud Security Alliance. Since Canada has one of the most advanced sets of information protection, particularly around the Patriot act which controls the flow of data and its use by foreign countries, its natural that we would be heavily involved in ensuring that the new standard meets the unique issues presented by cloud computing which includes the movement of data in a global space.

The ITU, an agency of the United Nations is working very closely with the CSA to examine the security concerns as it relates to security as a service which will help ensure the evolving cloud market has benchmarks which organizations will need to comply against. Currently, the final draft is close to completion, followed by a period of approximately two years during which the public can review and comment on the inclusions. Therefore, it will see be several years before a final completed global standard exists, but the existing draft framework will help cloud service providers have a framework on which to develop new services.

One of the major upsides to having this framework in place is that it will help organizations audit new services against the proposed guidelines, and will ensure that providers are measured on an equal playing field. Right now, the lack of standardization makes it difficult to do a proper comparison on service deliverables and platforms because there is so little information available on what should be included as part of a service, and what the specific roles of the provider and customer are.

The Telecom Working Group, which represents members from telecommunications companies, vendors and partners on a global scale, is spearheading several initiatives in creating best practices across several key areas including forensics, SIEM, compliance monitoring and governance, risk and compliance as they relate to outsourcing. These initiatives are geared to help drive awareness and formal policy adoption in cloud security. The Telecom Working Group is also involved in the larger Cloud Security Alliance body as one of the key research arms and been designated to provide global influence on how to delivery cloud solutions and foster cloud awareness, and was responsible for authoring the latest Cloud Security Alliance Guidelines document.

For more information on the Cloud Security Alliance or the Telecom Working Group, please visit



  1. Don Sheppard says:

    ISO JTC1/SC38 is also active in the Cloud Computing area, and has recently approved establshment of WG3 which focuses on cloud computing. The first meeting of SC38/WG3 is being held from Feb 20-24 in Vancouver. SC38/WG3 will liaise with SC7, SC27 and ITU as well as the various consortia to ensure that the standards being developed are suitable for international adoption. You can learn more ablut the Canadian Advisory Committee to SC38 (and also SC27) by contacting the Standards Council of Canada (

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: