Build or upgrade your ISMS on our platform

ISO/IEC 27017 Cloud Security Controls

These days, old fashioned business processes have been substituted with technologically sophisticated solutions that improve the efficiency and precision of business activities, but they also leave your organisation open to vulnerabilities in the form of cyber-attacks by hackers trying to steal the personal information of your customers.

If your organisation’s systems are to be breached, the financial and reputational damages can be devastating. Depending on the location you operate in, there are considerable penalties for companies who have neglected to adequately protect their systems, not to mention the irreversible damage to your organisation’s credibility and integrity in the eyes of your clients.

How, then, can organisations continue to enjoy the benefits of cloud computing while retaining trust in the ability to monitor and protect the data of customers? That’s where ISO 27017 enters into the equation.

See our simple, powerful platform in action

What is ISO 27017?

ISO/IEC 27017 is a security standard created for cloud users and service providers in order to provide a secure cloud-based system and lower the risk of security issues. The International organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) published it under the ISO/IEC JTC 1/SC 27 joint ISO/IEC subcommittee.

ISO 27017 is part of the ISO/IEC 27000 family of standards, which provide best-practice guidelines for information security management. This standard was derived from ISO/IEC 27002, and it suggests additional cloud security controls that were not fully specified in ISO/IEC 27002.

This International Standard offers guidance for cloud service users, who adopt the controls, and cloud service providers, who facilitate the controls’ implementations.

ISO 27017 takes all of the requisite safety precautions and risk-based analysis for online safety and extends them directly to cloud security.

Implementing cutting-edge security measures can be a demanding and time-consuming operation, which is exacerbated for smaller organisations without the ability to employ someone directly for the job. ISO 27017 relieves the organisation of its burden by providing the executive team with main risk areas to address and a selection of industry-proven best practices for safeguarding their cloud computing systems.

What is the Purpose of ISO 27017?

ISO 27017 supplements the ISO/IEC 27002 standard in the cloud computing environment by including supplementary information, security measures, and implementation guidance. This standard provides guidelines on 37 controls found in ISO/IEC 27002, as well as seven additional controls not found in ISO/IEC 27002.

These new controls cover some critical areas such as:

  • Shared functions and responsibilities in a cloud computing environment.
  • When a customer’s contract with a cloud service expires, the customer’s assets are removed and returned.
  • Protection and separation of a client’s virtual environment from other clients’ virtual environments.
  • Hardening requirements for virtual machines to meet business requirements.
  • Procedures for running a cloud computing environment’s administrative process.
  • Providing consumers with the ability to keep track of important events in a cloud computing environment.
  • Alignment of virtual and physical network security management.

If you work for a cloud service provider or are considering moving your company to the cloud, our ISO 27017 Overview will help you understand the standard’s core components, as well as the seven new controls and how it benefits organisations.

Why Implement ISO 27017?

It is important for clients to feel confident in the safety of their data in the cloud. ISO/IEC 27017 is a globally recognised framework that when implemented, will effectively reduce the likelihood of data breaches and increase customer trust by demonstrating your commitment to information security.

As already pointed out, the standard addresses a variety of issues, including asset ownership, the removal and return of assets after the termination of a customer contract, and the security of a customer’s virtual environment.

With the risk of cloud data breaches, it is more important than ever to show that you and your organisation are doing everything possible to mitigate these threats as a cloud service provider and/or a cloud service user.

As ISO 27017 is based on the ISO 27001 and ISO 27002 frameworks, implementation demonstrates that your organisation has put in place international best practices to protect against cloud-related threats for both cloud service providers and cloud service users.

Who Should Implement ISO 27017?

This code of practice defines controls and implementation guidelines for cloud service providers and users of cloud services. If you operate as a cloud storage service or use cloud storage directly in your activities, ISO 27017 is critical to ensure you are following best security practices.

ISO 27017 is also increasingly becoming a requirement to be considered for certain large-scale and government projects. These clients only partner with organisations that have a systematic and validated commitment to risk mitigation when providing class-leading cloud storage.

See who we’ve already helped

How Does ISO 27017 Certification Benefit A Cloud Service Provider?

Inspires confidence in your organisation

Gives stronger validation to customers and partners about the security of their data and information.

Secures your brand image

Mitigates the possibility of negative attention as a result of data breaches.

Protection from fines

Demonstrates consistent standards, making it easier to do business internationally and gain exposure as a trusted provider.

Contributes to business growth

Communication is the key when it comes to Information Security Governance processes. You are entrusted with keeping your company and its various assets secure, but it cannot be an isolated process.

We needed ISO 27001 to win new corporate clients and we needed it quickly. As a small business with limited resources, we were looking for a one-stop solution to radically speed up our implementation. has done exactly that.

Evan Harris



What Are the Benefits of ISO 27017 Certification?

  1. Provides assurance to customers

    The new ISO 27017, Code of practice for information security controls implemented in cloud services is a great opportunity for service providers to provide an external assurance to their customers that the information processed in the cloud by the cloud service provider is secure.

  2. Reduce cloud storage-based risks

    The ISO 27017 Code of practice for information security controls implemented in cloud services will help the organisation to make a plan which will be used to protect and reduce risks of a data breach and thereby inculcating the trust of the stakeholders in the organisation. The primary goal of

  3. Provides a framework for cloud services customers

    ISO 27017 implementation and certification defines a robust information security monitoring system for users of cloud computing and keeps vendors accountable.

  4. Extends and enhances ISO 27001 certification

    In the world of Information Security, ISO 27001 certification is the most well-known standard. It helps organisations to manage information security risks. In short, it provides a strategic framework to prevent, detect and deal with data breaches. ISO 27017 brings new tools and extended coverage for the protection of personally identifiable information (PII), as it relates to cloud storage.

  5. Establishes a proper information security management framework

    It establishes a robust information security management system for cloud service providers looking to provide improved certainty about the security of their services and of their customers’ data.

  6. Steps to ISO 27017 Certification

    Due to the anticipated success of ISO 27017, some certification bodies want to begin certifying against it. Since ISO 27017 is not a management standard, routine certification will not be possible; instead, certification bodies will likely offer some sort of “statement of compliance.”

    However, businesses seeking the ISO 27017 credential will almost certainly have to undergo ISO 27001 certification first, and as part of the audit, they will receive a statement certifying that they are also compliant with ISO 27017. Please keep in mind that you must show that your information management system has been completely functioning for a minimum of three months and has been subjected to a review and a complete series of internal audits.

What Standards Do ISO 27017 Integrate With?

ISO 27017 is compatible with a number of other ISO standards. These include the following:

  • ISO 27001: specifications for operating an information security management system.
  • ISO 27002: a list of basic security controls that a business can employ.
  • ISO 27017: general security recommendations for cloud computing.
  • ISO 27018: standards covering the protection of personal data in the cloud.

In practice, ISO 27017 expands on ISO 27002 by including additional information for some security controls and adding several new ones, all of which enhance the standard’s application to the cloud computing industry.

ISO 27017 provides guidelines for both providers and users of cloud services. It notes that due to the way cloud computing operates, it is possible for the same organisation to be both a customer and a provider of cloud services.

How Does ISO 27017 Integrate with ISO 27002?

ISO 27017 is structured similarly to ISO 27002, namely in the form of a checklist of potential security controls. Individual organisations will need to determine which of these controls are applicable to their circumstances, which may vary according to their position as a cloud service provider, a customer, or both. Certain controls are applicable to both providers and customers, while some have distinct applications.

The most notable contribution to ISO 27002 by ISO 27017 is the clarification on backups. It states that:

  • Cloud service customers should specify the backup functionality they need from the provider, check that the offered service meets their requirements, and make their own arrangements if the offered service is insufficient; and
  • Cloud service providers should have “safe and separate access to backups” and also specify the backup capabilities.

ISO 27001, ISO 27017, or ISO 27018 – Which to go for?

ISO 27001 is an ideal cornerstone standard for any business seeking to secure its data – it is now by far the most widely used standard globally, it establishes a system for maintaining compliance in information security, and it is the only standard against which a (valid) certificate can be obtained.

ISO 27017 is undoubtedly relevant to businesses that provide cloud-based services and want to cover all bases when it comes to cloud computing security. ISO 27018, on the other hand, is more geared toward businesses that manage personal data and want to ensure it is protected appropriately.

Cloud storage providers can adopt ISO 27001 in combination with ISO 27017, while cloud companies with a high volume of personal data will almost certainly implement all three: ISO 27001, ISO 27017, and ISO 27018.

How can help you

With years of experience developing cutting-edge technologies that assist cloud storage providers in demonstrating compliance with ISO 27017 best practices, is uniquely qualified to work with you to fulfil stakeholder needs and meet regulatory requirements.

We can assist you in complying with a variety of other standards and regulations. We provide simple-to-use frameworks, allowing you to:

  • Monitor the status of your compliance and certification efforts.
  • Avoid expensive and inefficient replication.
  • Concentrate your efforts on one place.

Our Virtual Coach is available 24 hours a day, 7 days a week to provide context-specific assistance. Additionally, you can communicate with us directly from our website. As a result, you’ll never take the wrong turn or get confused.

If you are interested in learning more about how can assist you in achieving ISO 27017 certification, please +44 (0)1273 041140 to speak to someone today.

Take a deep dive into some of our more advanced features

What kind of help do you need from us?

New to information security?

We have everything you need to design, build and implement your first ISMS.

Find out more

Ready to transform your ISMS?

We’ll help you get more out of the infosec work you’ve already done.

Find out more

Want to unleash your infosec expertise?

With our platform you can build the ISMS your organisation really needs.

Find out more

Explore other standards within the ISO 27k family

  • 1

    The ISO 27000 family

  • 2

    ISO 27002

  • 3

    ISO 27003

  • 4

    ISO 27004

  • 5

    ISO 27005

  • 6

    ISO 27008

  • 7

    ISO 27010

  • 8

    ISO 27014

  • 9

    ISO 27013

  • 10

    ISO 27016

  • 11

    ISO 27017

  • 12

    ISO 27018

  • 13

    ISO 27019

  • 14

    ISO 27038

  • 15

    ISO 27039

  • 16

    ISO 27040

  • 17

    ISO 27050

  • 18

    ISO 27102