Understanding ISO 27017 – Cloud Security Controls Explained

What is ISO 27017?

Published in 2015 by ISO and IEC, ISO/IEC 27017 is an international standard that provides a code of practice for information security in the cloud. It offers targeted guidelines for a more secure environment by directly addressing the unique challenges of hosting data and applications online.

The standard is not a standalone management system. Instead, it builds upon the foundational controls in ISO/IEC 27002, offering specific implementation guidance for the cloud. Its primary goal is to equip both cloud service providers and their customers with clear, actionable security practices to mitigate the risk of security incidents.

A defining feature of ISO 27017 is its sharp focus on the roles and responsibilities of both the cloud service provider and the customer. It clarifies who is responsible for which security controls—a critical distinction in the cloud’s shared-responsibility model. While often compared to ISO 27018, their purposes differ: ISO 27017 addresses general cloud security, whereas ISO 27018 is dedicated to protecting personally identifiable information (PII).

Key Features of ISO 27017

Essentially, ISO 27017 augments the established ISO 27002 standard with guidance tailored for the cloud. It enriches existing security frameworks, clarifying how to address the unique risks and operational realities of cloud services.

The standard achieves this primarily in two ways. First, it provides detailed, cloud-specific implementation guidance for 37 existing controls from ISO/IEC 27002. This means it takes a general security control, like managing access rights, and explains how to apply it effectively when dealing with cloud infrastructure, platforms, or software.

In addition, ISO 27017 introduces 7 new controls exclusive to cloud computing, designed specifically to address security gaps not covered by ISO 27002, such as the segregation of virtual environments and virtual machine hardening. This dual focus on enhancing existing controls and adding new ones makes it a comprehensive tool for cloud security.

Cloud Security Controls in ISO 27017

The controls in ISO 27017 provide a framework with practical guidance for both cloud service providers (CSPs) and cloud service customers (CSCs), clarifying the shared security responsibility model.

The seven new controls directly address challenges unique to the cloud model, including:

• Defining and documenting the shared roles and responsibilities between the provider and the customer.

• Ensuring proper segregation of customer virtual environments in a multi-tenant architecture.

• Hardening and securing virtual machine images.

• Clarifying procedures for monitoring customer activity by the cloud provider.

• Establishing clear policies for the return or deletion of customer assets upon contract termination.

These controls create a common language for security. They help cloud customers to ask the right questions and enable providers to offer clear, standardized answers about their security posture. This structured approach helps build trust and ensures that security measures are well-coordinated between the provider and customer.

Implementation Guidance for ISO 27017

The primary value of ISO 27017 is its detailed implementation guidance, which serves as a practical roadmap for addressing the shared responsibility model in the cloud. It provides distinct yet complementary instructions for both cloud service providers and their customers, ensuring that security measures are applied cohesively.

For cloud service customers, the standard offers clarity on their specific obligations. It helps organizations understand which security controls they are responsible for implementing and managing within the services they consume. The guidance supports customers in asking informed questions during vendor selection and provides a framework for configuring services securely, managing user access, and protecting their data within the cloud environment.

Simultaneously, the guidance directs cloud service providers on how to support their customers’ security efforts. It outlines the provider’s role in securing the underlying infrastructure and developing services with strong, configurable security features. This includes providing the necessary tools, documentation, and transparency to help customers effectively implement their side of the security controls, thereby fostering a relationship built on trust and mutual support.

This dual-perspective approach ensures there are no security gaps. It transforms security from a siloed task into a collaborative partnership, where both the provider and the customer understand their roles and work together to protect information in the cloud.

ISO 27017 and Compliance

A common point of confusion is how an organization becomes ‘compliant’ with ISO 27017. Unlike ISO 27001—a certifiable management system standard—ISO 27017 is a code of practice, meaning it does not offer a standalone certification. Instead, compliance is demonstrated by integrating its cloud security controls into an existing ISO 27001-certified Information Security Management System (ISMS).

To achieve this, an organization must first have an ISMS based on ISO 27001. From there, the cloud-specific controls and guidance from ISO 27017 are incorporated into the organization’s risk assessment and Statement of Applicability (SOA). A formal audit then assesses these additional controls. If successful, the organization’s ISO 27001 certificate can be updated to include its conformity with the ISO 27017 code of practice.

While implementation is not mandatory in most countries, achieving this level of compliance is an effective way to build trust. For cloud service providers and customers alike, it serves as a public declaration of their commitment to securing cloud environments. This builds confidence in partners and clients by proving adherence to a globally recognized standard. In many cases, this certification becomes a competitive advantage or even a contractual requirement to compete and win business.

This formal attestation serves as tangible proof of an organization’s security posture. Potential customers can request the certificate as part of their vendor due diligence, simplifying their own risk assessment process. By proactively addressing cloud security through a recognized framework, organizations can foster a culture of compliance and demonstrate their reliability in a competitive market.

Relationship with Other ISO Standards

ISO 27017 is a key part of the ISO/IEC 27000 family, extending the foundational frameworks of ISO 27001 and ISO 27002. It provides cloud-specific implementation guidance to address the unique challenges and risks associated with cloud computing.

Its function is best understood in comparison to its relatives. ISO 27001 is the blueprint for an Information Security Management System (ISMS). ISO 27017 acts as a specialized addendum for securing cloud services, while ISO 27018 focuses specifically on protecting Personally Identifiable Information (PII) in the cloud. In short: ISO 27001 is the foundation, ISO 27017 covers cloud security, and ISO 27018 addresses cloud privacy.

This collaborative structure makes the ISO 27000 series effective. Other standards work together to support the main ISO 27001 framework, including:

• ISO 27005: Risk management

• ISO 27004: Measurement

• ISO 27031: Business continuity

Together, they form a comprehensive toolkit that enables organizations to build a strong, comprehensive security posture, with each standard providing expert guidance for a specific domain.

Future of ISO 27017

Like the cloud technologies it governs, the ISO 27017 standard is not static; it must evolve to remain relevant as technology evolves. A new version is already under development, currently designated as ISO/IEC DIS 27017. This places it in the Draft International Standard (DIS) stage, where it undergoes review by ISO members before final publication.

This upcoming revision is expected to broaden its focus significantly. While the current 2015 version centers on information security controls, the next version will explicitly incorporate cybersecurity and privacy protection. This change reflects a critical industry trend: the convergence of these disciplines and the need for a more integrated approach to securing cloud services.

The primary driver for this evolution is the increasing complexity of the cloud environment. As new threats emerge and data privacy regulations become more stringent worldwide, the standard must adapt to provide current and effective guidance. By integrating cybersecurity and privacy more directly, the future ISO 27017 will offer a more comprehensive framework for both cloud service providers and their customers, helping them manage future security challenges.