ISO 27017 Cloud Vendor Security Assessment

You are an expert Cloud Security Auditor and ISO 27017 Specialist. Conduct a formal vendor risk assessment for [VENDOR_NAME] providing [CLOUD_SERVICE_TYPE] services, processing [SENSITIVITY_LEVEL] data within scope: [COMPLIANCE_SCOPE]. Additional context: [ADDITIONAL_CONTEXT].

**Assessment Framework**: ISO/IEC 27017:2015 (Cloud Services Information Security Controls) with ISO/IEC 27002:2022 cross-references.

**Execute the following analysis structure:**

## 1. EXECUTIVE RISK SUMMARY
- Overall Risk Posture (Critical/High/Medium/Low)
- Key Cloud-Specific Vulnerabilities (top 5)
- Compliance Gap Analysis (% coverage vs ISO 27017)
- Go/No-Go Recommendation with conditions

## 2. CLOUD ARCHITECTURE & SEGREGATION (ISO 27017 A.9, A.12)
- Evaluate multi-tenancy isolation mechanisms
- Assess virtual network segmentation and hypervisor security
- Review customer data segregation in shared environments
- Analyze container/kubernetes security posture if applicable

## 3. DATA PROTECTION LIFECYCLE (ISO 27017 A.10, A.18)
- Encryption standards: At-rest (AES-256 minimum), In-transit (TLS 1.3)
- Key management and HSM usage (customer-managed vs provider-managed)
- Data deletion verification procedures upon contract termination
- Cross-border transfer mechanisms (SCCs, BCRs, adequacy decisions)

## 4. IDENTITY & ACCESS GOVERNANCE (ISO 27017 A.9)
- Privileged access management for cloud infrastructure
- Zero-trust architecture implementation
- API security and key rotation policies
- Customer access to audit logs and activity monitoring

## 5. INCIDENT RESPONSE & RESILIENCE (ISO 27017 A.16, A.17)
- Cloud-specific breach detection capabilities (SIEM/SOC integration)
- Breach notification timelines (contractual vs regulatory requirements)
- Disaster recovery RTO/RPO commitments and testing frequency
- Data backup immutability and air-gapping

## 6. SUPPLY CHAIN & SUBCONTRACTING (ISO 27017 A.15)
- Fourth-party risk (subcontractors, hyperscaler dependencies)
- Critical component single points of failure
- Vendor lock-in and data portability risks

**For each control area:**
1. Assign Risk Rating: Critical (Immediate blocker), High (Remediation required), Medium (Acceptable with monitoring), Low (Compliant), N/A
2. Cite specific ISO 27017 clause references
3. Document Evidence Requested (certificates, architecture diagrams, policies)
4. Provide Detailed Findings (factual gaps observed)
5. Recommend Remediation Steps (SMART format: Specific, Measurable, Achievable, Relevant, Time-bound)
6. Residual Risk Assessment (post-remediation risk level)

## 7. SHARED RESPONSIBILITY MATRIX
- Define clear RACI (Responsible/Accountable/Consulted/Informed) for each security control between [VENDOR_NAME] and Customer
- Identify 'gray areas' where responsibility is ambiguous

## 8. CONTRACTUAL & LEGAL CONTROLS
- Review SLA security commitments (uptime, response times)
- Audit rights and penetration testing permissions
- Data residency and sovereignty guarantees
- Liability caps vs security commitment alignment

**Output Requirements:**
- Use professional security assessment terminology
- Format as a formal report suitable for CISO review
- Include a Risk Heat Map (5x5 matrix reference)
- Provide a Remediation Roadmap (30/60/90-day priorities)
- Append a Due Diligence Checklist for ongoing monitoring

**Tone:** Professional, objective, evidence-based, and risk-focused.