What ISO 27017 covers
ISO 27017 is a code of practice that provides cloud-specific information security controls. It extends ISO 27001 and ISO 27002 with guidance tailored to the cloud — addressing the shared responsibilities between a cloud service provider and its customers, and the security issues that are unique to cloud computing.
It is relevant both to cloud service providers and to organisations that consume cloud services and want to manage the associated risks to a recognised standard.
What certification involves
Because ISO 27017 builds on ISO 27001, certification assesses the cloud-specific controls on top of an ISO 27001 information security management system, typically including:
- Shared roles and responsibilities between cloud provider and customer
- Removal and return of assets when a cloud contract ends
- Segregation and protection in virtualised and shared environments
- Administrator and operational security for cloud services
It sits within the IT-security part of the ISO Certifications portfolio and is frequently pursued alongside ISO 27018 for PII in public clouds.
Timeline & process
For an organisation that already holds ISO 27001, adding ISO 27017 typically takes around 10–14 weeks; implementing both together takes longer. Each engagement begins with a fixed-price scoping call and a proposal within 24 hours.
Common questions
Do we need ISO 27001 before ISO 27017?
Yes. ISO 27017 provides additional, cloud-specific controls that sit on top of an ISO 27001 information security management system. You implement ISO 27001 as the foundation and add the ISO 27017 controls — many organisations certify them together.
What is the difference between ISO 27017 and ISO 27018?
Both extend ISO 27001 for the cloud. ISO 27017 covers cloud security controls generally; ISO 27018 focuses specifically on protecting personally identifiable information (PII) in public clouds. Cloud providers often pursue both.
