What is ISO 27017? Importance, Standards and Certification.

iso 27017

Due to the Covid-19 pandemic, there has been a gradual increase in cloud service adoption within the last two years to help cater to the rise in remote work. Cloud service providers supply cloud computing which is flexible and productive for their cloud service customers to get the job done in their comfort zone.

In contrast, when the management of cloud security is neglected or information security aspects are improperly handled, it may result in security threats and higher business costs.

From the Cloud Security Report 2021, some of the significant security concerns regarding cloud services are listed below:

  • Data Loss or Data Leakage – 69% of most organisations regard this as their critical information security management concern. The scope of ease in data sharing in virtual cloud services raised concerns about security controls.

  • Data Privacy and Confidentiality – Most organisations adopt cloud services without having critical knowledge of information security controls or additional implementation guidance to ensure their employees understand their responsibilities in using the cloud services. The lack of controls and implementation guidance might cause sensitive data to be exposed.

  • Regulatory compliance requirements related to physical data movement, such as protected information to virtual computing environments, might make regulatory compliance more tedious. This is due to limited information security controls in some layers of cloud computing infrastructure.

  • Loss of Visibility – The organisation (cloud service customer) engaged with a cloud service provider to adopt cloud computing for their corporate network, which the organisation itself does not own. Some organisations might not have adequate information technology security techniques or relevant controls. This limits their monitoring responsibilities on cloud platforms to protect themselves against potential threats.

To mitigate the abovementioned concerns, organisations need to adopt a strategic practice for information security, such as using ISO/IEC 27017. It examines both the roles and responsibilities of cloud service providers and cloud service customers on the cloud computing platform.

What is ISO 27017? 

ISO/IEC 27017:2015 provides information security guidelines for organisations that use cloud services. The international standard recommends and assists cloud service providers with the information security controls applicable to their cloud service. This code of practice also supplements the guidance of ISO/IEC 27002 and ISO/IEC 27001 standards by including implementation guidance and additional controls specific to cloud service.

Why is ISO 27017 important? 

According to IBM 2021 report, to completely resolve a data breach costs an average of $4.24 million US dollars. ISO/IEC 27017 provides a framework that advises aligning security management for cloud service and virtual and physical networks.

When your organisation is committed to this international standard, there will be a significant reduction in the likelihood of data breaches, increasing your customers’ confidence.

Your customers must trust that their data is safe in the cloud service. Therefore as a cloud service provider, it is crucial to signal to your cloud service customer that your organisation takes security threats such as data breaches seriously and is making every effort to minimise them. Certifying ISO 27017 assures customers that their information in the cloud is secured.

Is ISO 27017 a certification?

Since ISO 27017 is not a management system standard, unlike ISO 27001, you can’t attain certification for this standard. However, you can certify against ISO 27017 during an ISO 27001 certification process. To do so, you have to include the specific controls in ISO 27017 into the scope of the ISO 27001 certification audit. Expanding your ISO 27001 scope to cover the ISO 27017 controls allows you to attain an independently verified certification to demonstrate the conformance to that standard.

What is the latest version of ISO 27017?

ISO/IEC 27017:2015 – Information Technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services is the latest version of this international standard published in 2015. This standard is part of the ISO/IEC 27000 family of standards concerning information security management. The standard extends from ISO/IEC 27002 for cloud environments to include additional controls not originally included in ISO/IEC 27002.

What are the domains of ISO 27001?

The latest version of ISO 27001: 2013 contains 14 domains, and a risk assessment should determine which controls are needed while others can be excluded from the information security management system. The respective 14 domains are listed below:

  • Information security policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

How many controls are there in ISO 27017?

ISO/ IEC 27017: 2015 provides guidance on 37 controls based on ISO/IEC 27002 and also includes seven exclusive controls, which are:

  • Shared roles and responsibilities within a cloud computing environment
  • Removal and retrieval of cloud service customer assets upon termination of the contract
  • Protection and segregation of customer’s virtual computing environment from other customer data
  • Virtual machine hardening to cater to business requirements
  • Administrator operational security
  • Enable customers to monitor their cloud computing activities
  • Alignment of security management for physical and virtual networks

What is the difference between ISO 27017 and ISO 27018?

ISO 27017 provides a framework which includes additional guidance and recommendations for implementing cloud-specific information security controls based on ISO 27002. ISO 27018 guides ensure privacy in cloud computing services, assisting cloud service providers in properly handling personally identifiable information.


ISO 27017: 2015 sets out guidelines for a cloud service provider to implement to provide a safeguarded cloud-based service and reduce the potential security threats. Your organisation needs to implement ISO 27017 if your organisation is a cloud storage provider or uses cloud storage directly for your business operations.

Customers are more likely to work with your organisation if they are confident that their data are handled safely. Your organisation will benefit from a better company image and reduced risk of security damage; therefore, it is strongly encouraged to comply with ISO 27017.

To comply with ISO 27017, your organisation must first undergo ISO 27001 certification. Expanding ISO 27017 controls into ISO 27001 scope will allow you to achieve the statement certifying that your organisation complies with ISO 27017 under your ISO 27001 certificate.

If your organisation needs help with compliance with ISO 27017, let us assist you in complying with the regulatory requirements more efficiently.


1. https://www.ibm.com/downloads/cas/OJDVQGRY

Learn More

our Academy e-learning course:

Do you have any questions?

Drop us an inquiry now!