ISO/IEC 27017 Cloud Security Controls

What is ISO 27017?

ISO/IEC 27017 is an information security framework for organisations using (or considering) cloud services. Cloud service providers need to comply with this standard because it keeps their cloud service customers (and others) safer by providing a consistent and comprehensive approach to information security.

ISO 27017 is part of the ISO/IEC 27000 family of standards, which provide best-practice guidelines for information security management. This standard was derived from ISO/IEC 27002, and it suggests additional cloud security controls that weren’t fully specified in ISO/IEC 27002.

Guidance for further implementation of additional controls and relevant controls specified in ISO/IEC 27002, specifically including rules about the use of cloud services. Additional security controls are also applicable.

The International organisation for Standardisation and the International Electrotechnical Commission (IEC) published it under the ISO/IEC JTC 1/SC 27 joint ISO/IEC subcommittee.

This International Standard offers guidance for cloud service customers, who adopt the controls, and cloud service providers, who facilitate the controls’ implementations.

The framework defines alignment of security management for cloud computing, virtual and physical networks.

ISO 27017 takes all requisite safety precautions, risk-based analysis for online safety and extends them directly to cloud security, where information security controls are applicable to the framework apply.

What is the Purpose of ISO 27017?

ISO 27017 supplements the ISO/IEC 27002 framework for cloud computing environment by including supplementary information, security measures, and implementation guidance. This framework provides implementation guidance on 37 controls found in ISO/IEC 27001, as well as seven additional requirements.

New cloud controls that address the following best code of practice:

  • Who’s responsible for what between the cloud service provider and the cloud customer.
  • The removal/return of assets when a contract is terminated.
  • Protection and separation of the customer’s virtual environment.
  • Virtual machine configuration.
  • Administrative operations and procedures associated with the cloud environment, letting customers monitor relevant activities.
  • Cloud customer monitoring of activity within the cloud.
  • Virtual and cloud network environment alignment.
  • Information security controls based on the ISO 27001 standard and ISO 27017 framework.

By adopting this code of practice, cloud consumers and providers can now meet baseline information security requirements by selecting relevant controls and implementation guidance based on risk assessments for cloud services.

If you work for a cloud service provider or are considering moving your company to the cloud. Our ISO 27017 overview will help you understand the framework core components, new controls and how this code of practice will benefit your organisation.

Why Implement ISO 27017?

It’s crucial for clients to have confidence in the safety of their data in the cloud. ISO/IEC 27017 is a globally recognised framework that, when implemented, will effectively reduce the likelihood of data breaches and increase customer trust by demonstrating your commitment to information security techniques.

As pointed out, the framework addresses various issues, including asset ownership, the removal and return of assets after termination of a customer contract, and security of a customer’s virtual environment.

The framework defines administrative operations for handling a cloud environment—requirements to harden a virtual machine according to business needs.

As a cloud service provider or a cloud service user, it is vital to show your organisation is doing everything possible to minimize the risks posed by data breaches.

ISO 27017 is based on the ISO 27001 standard and ISO 27002 framework, implementation demonstrates that your organisation has put in place best practices to protect against cloud-related threats for both cloud service providers and cloud service customers. It complements however doesn’t replace the requirements of ISO/IEC 27002.

See our simple, powerful platform in action

Who Should Implement ISO 27017?

If you operate a cloud storage service use a SaaS, or cloud storage directly in your business, ISO 27017 is important to ensure you follow best practice.

ISO 27017 is increasingly becoming a requirement to be considered for specific large-scale and government projects. As these organisations will only partner with businesses that demonstrate a systematic commitment to risk mitigation.

Any legal, contractual, regulatory or other cloud specific information security requirements will affect the selection of appropriate information security controls of the implementation of the framework.

This certification is a must-have for any company that uses or wishes to provide their customers with secure cloud services. It proves that they’ve implemented ISO 27017 information security controls.

This is a great way for any company to show their commitment to protecting customer information. By getting certified, you’ll set yourself apart from the competition and give your customers peace of mind. You’ll be demonstrating your knowledge and expertise on this important subject.


See who we’ve already helped

How Does the ISO 27017 Certification Process Benefit A Cloud Service Provider?

Inspires confidence in your organisation

Gives robust validation to customers and partners about the security of their data and information.

Secures your brand image

Mitigates the possibility of negative attention as a result of data breaches.

Protection from fines

Demonstrates consistent standards, making it easier to conduct business internationally and gain exposure as a trusted provider.

Contributes to business growth

Communication is key when it comes to Information Security Governance processes. You are entrusted with keeping your company and its various assets secure, but it cannot be an isolated process.

We needed ISO 27001 to win new corporate clients and we needed it quickly. As a small business with limited resources, we were looking for a one-stop solution to radically speed up our implementation. has done exactly that.

Evan Harris



What Are the Benefits of ISO 27017 Certification Process?

  1. Provides assurance to customers and cloud based guidance

    The new ISO 27017 code of practice for information security controls based on cloud services is an excellent opportunity for service providers to provide an external assurance to their customers that the information processed in the cloud by the cloud service provider is secure.

  2. Reduce cloud customer storage-based risks

    The ISO 27017 code of practice for information security controls implemented in cloud services will help the organisation make a plan that will be used to protect and reduce risks of a data breach and thereby inculcate the trust of the stakeholders in the organisation.

  3. Provides a framework for cloud services customers

    ISO 27017 implementation and certification defines a robust information security monitoring system for cloud computing users and keeps vendors accountable. Additional implementation guidance can be found on this page.

  4. Extends and enhances ISO 27001 certification

    In the world of Information Security, ISO 27001 certification is the most well-known standard. It helps organisations to manage information security risks. ISO 27017 brings new tools and extended coverage for the protection of personally identifiable information (PII) as it relates to cloud storage and information security controls. In short, it provides a strategic framework to prevent, detect and deal with data breaches.

  5. Establishes a proper information security management framework

    The framework establishes a robust information security management system for cloud virtual service providers looking to provide improved certainty about the security controls of their services, security techniques and their customers’ data.

  6. Steps to ISO 27017 Certification

    Due to the anticipated success of ISO 27017, some certification bodies want to begin certifying against it. Since ISO 27017 is not a management standard, routine certification will not be possible; instead, certification bodies will likely offer some sort of “statement of compliance.”

    However, businesses seeking the ISO 27017 credential will almost certainly have to undergo ISO 27001 certification first. As part of the audit, they will receive a statement certifying that they are also compliant with ISO 27017. Please keep in mind that you must show that your information management system has been completely functioning for a minimum of three months and has been subjected to a review and a complete series of internal audits.

What Standards Do ISO 27017 Integrate With?

ISO 27017 is compatible with other ISO standards. These include the following:

  • ISO 27001: specifications for operating an information security management system.
  • ISO 27002: a list of basic security controls that a business can employ.
  • ISO 27018: standards covering the protection of personal data in the cloud.

ISO 27017 is an expansion of ISO 27002 that includes additional information for information security controls that are necessary for protecting data in the cloud. It also adds several new ones, and enhances the standard’s applicability to the cloud computing industry.

ISO 27017 provides guidelines for both providers and users of cloud services. It notes that due to the way cloud computing operates, the same organisation can be both a customer and a provider of cloud services.


How Does ISO 27017 Integrate with ISO 27002?

ISO 27017 is structured similarly to ISO 27002, namely in the form of a checklist of potential security controls. Individual organisations will need to determine which controls are applicable to their circumstances, may vary according to their position as cloud service providers, customers, or both.

The guidelines in this International Standard provide support for information security control implementation by both cloud service customers and providers. It’s an excellent framework for anyone who offers cloud services to clients.

Specific controls are applicable to both providers and customers, while some have specific applications.

The most notable contribution to ISO 27002 by ISO 27017 is the clarification on backups. It states that:

  • Cloud service customers should specify the backup functionality they need from the provider, check that offered service meets their requirements, and make their own arrangements if the provided service is insufficient; and
  • Cloud service providers should have “safe and separate access to backups” and specify the backup capabilities.


ISO 27001, ISO 27017, or ISO 27018 – Which to go for?

ISO 27001 is an ideal cornerstone standard for any business seeking to secure its data. It’s now the most widely used standard globally. It establishes a system for maintaining compliance in information security controls, and the only standard against which a (valid) certificate can be obtained.

ISO 27017 international framework is undoubtedly relevant to businesses that provide cloud-based services and want to cover all bases for cloud computing security.

ISO 27018 is more geared toward companies that manage personal data and want to ensure it’s protected appropriately.

Cloud service providers can adopt ISO 27001 in combination with ISO 27017, while cloud companies with a high volume of personal data will almost certainly implement all three: ISO 27001, ISO 27017, and ISO 27018.

How can help you

With years of experience developing cutting-edge technologies that assist a cloud service provider in demonstrating compliance with ISO 27017 best practices, is uniquely qualified to work with you to fulfil stakeholder needs and meet regulatory requirements. Show cloud service customers that you’re committed to protecting their data with the latest security techniques and information security controls based on ISO 27017 compliance.

We can assist you in complying with a variety of other standards and regulations. We provide simple-to-use frameworks, allowing you to:

  • Monitor the status of your compliance and certification efforts.
  • Avoid expensive and inefficient replication.
  • Concentrate your efforts on one place.
  • Keep you up to date with the latest news in ISO compliance and information security aspects.
  • Additional implementation guidance of ISO IEC 27017 2015.

Our Virtual Coach is available 24 hours a day, 7 days a week, to provide context-specific assistance and implementation guidance. Additionally, you can communicate with us directly from our website. As a result, you’ll never take the wrong turn or get confused.

If you are interested in learning more about how can assist you in achieving ISO 27017 certification, please call +44 (0)1273 041140 to speak to someone today.

Are you interested in finding out more? Please read our blog for the latest information technology security techniques code of practice news.

Platform features

Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.

What kind of help do you need from us?

New to information security?

We have everything you need to design, build and implement your first ISMS.

Find out more

Ready to transform your ISMS?

We’ll help you get more out of the infosec work you’ve already done.

Find out more

Want to unleash your infosec expertise?

With our platform you can build the ISMS your organisation really needs.

Find out more

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27009

  • 8

    ISO 27010

  • 9

    ISO 27014

  • 11

    ISO 27013

  • 12

    ISO 27016

  • 13

    ISO 27017

  • 14

    ISO 27018

  • 15

    ISO 27019

  • 16

    ISO 27038

  • 17

    ISO 27039

  • 18

    ISO 27040

  • 19

    ISO 27050

  • 20

    ISO 27102