ISO/IEC 27017

Overview

ISO/IEC 27017:2015 is an international standard created by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). This was created conjointly by technical committee ISO/IEC JTC 1/SC 27 (Information security, cybersecurity, and protection of privacy) IT Governance+3ISO+3ISO+3. It belongs to the ISO/IEC 27000 family that talks about information security management systems (ISMS) and related practice controls. Wikipedia+1. The standard gives guidance for information security controls for cloud service providers (CSPs) and cloud service customers (CSCs). Specifically adapted to cloud specific environments like responsibility, virtualization, dynamic provisioning, and multi-tenant infrastructure. Ignyte+3Microsoft Learn+3Google Cloud+3.^[1]

Scope and Purpose

The main purpose of ISO/IEC 27017 is to provide the controls in ISO/IEC 27002 (Code of practice for security controls). By giving guidance for cloud services usage and offering controls. Microsoft Learn+2ISO+2. The ISO abstract standard is: "gives guidelines for information security controls applicable to the provision and use of cloud services by providing (a) additional implementation guidance for relevant controls specified in ISO/IEC 27002; (b) additional controls with implementation guidance that specifically relate to cloud services." ISO+1. It was suppose to be used by organizations that give or use cloud services and want to use those practices for cloud security controls, mainly when their ISMS is based on ISO/IEC 27001 or ISO/IEC 27002. ISMS.online+1. Cloud models use third party providers usually and share responsibilities, virtual and ephemeral assets, and dynamic scaling. ISO/IEC 27017 focuses on clarifying roles of control implementation in cloud computing. Google Cloud+1.

Publication and Revision Status

ISO/IEC 27017:2015 was created December 2015 (Edition 1). ISO+1. The standard was last updated in 2024 and still remains. ISO. A 2nd Edition of ISO/IEC DIS 27017 is under development and is under inspection. This will update the guidance on ISO/IEC 27003:2022 and address the changing cloud service risks. ISO+1.

Structure and Content

ISO/IEC 27017 collects the clause structure of ISO/IEC 27002. (Covering information security policy, organizations, human resources security, asset management, access control, cryptography, physical and environmental security, operations security, communication security, and system acquisition/development/maintenance. Wikipedia+1.

Additional guidance for multiple ISO/IEC 27002 controls as they use them in a cloud context. Microsoft Learn+1.
Seven cloud specific controls are labelled CLD that addresses the shared roles and responsibilities with the environment of cloud computingIT Governance+1, The removal or return of customer assets at the end of a contract IT Governance+1, Protection and separation of the customer's environment, Virtual machine configuration and/or hardening IT Governance+1, Operational security of admins and cloud environments operations procedures, Monitoring of cloud service activity for the customer IT Governance+1, and lastly the alignment of security management for virtual and physical networks in a cloud environment IT Governance+1. This furthers the standard and highlights the shared responsibility by giving guidance for the provider and the customer.

Applicability and Adoption

ISO/IEC are applicable and benefits

Cloud service providers (CSPs) that want to show strong, internationally security controls for their offers. As an example, Google Cloud follow ISO/IEC 27017:2015 for multiple services. Google Cloud.
Cloud service costumers (CSCs) use cloud services to hope their service provider controls and shared responsibilities are positioned with the good practices and that they themselves hold their promises and responsibilities. Microsoft Learn.
Organizations are creating public and private hybrids that extend their ISMS based on ISO/IEC 27001/27002 in cloud domains 6clicks.com.

Assistance have been improved the roles and responsibilities to help vendors and its customers. This creates more preparedness for audits and compliances. BSI Group+1. However this also requires organizations to combine the standards with their internal governance, contracts/SLAs, and monitoring/automation of frameworks.

Key Themes and Control Focus

Shared Responsibilities Model highlights what the cloud service providers does versus what the customer retains responsibility for. The importance in cloud computing connects infrastructure, platform, data, and applications can last for multiple parties. Google Cloud+1.

Asset and Data Lifecycle Management make cloud services commonly involve complex provisioning, elasticity, disposal of virtual assets and data at the end of services. ISO/IEC 27017 has rules for the return or secure deletion of the consumer's data and assets when the contract ends. IT Governance.

Virtualisation, Multi Tenancy and Segregation provides the controls for a secure configuration of virtual machines and technology. The separation of the customer's environment, segregation of duties, and tough templates and monitoring of virtual models ISMS.online+1.

Monitoring, Logging & Auditability

The cloud context gives visibility into provider operations, changes, configuration, and audit logs are important. This underlines the CSP and CSC roles with monitoring Microsoft Learn+1.

Contractual/Supplier Relationship Alignment

Cloud services commonly involve multiple suppliers, sub-processors, global data flow and complex service relationships. ISO/IEC 27017 gives direction to its customers and provides how to incorporate cloud security controls in the contracts (SLAs and supplier management) IT Governance+1.

Integration with ISMS and Other Standards

This standard was created to integrate with an ISMS (e.g., ISO/IEC 27001) and to connect with ISO/IEC 27002. Organizations adopt and use ISO/IEC 27017 as a supplementary layer once their general ISMS are fully in place.

Implementation Considerations

Organizations implementing ISO/IEC 27017 should follow with a structured approach like:

Define Scope and Context - Determine the types of cloud services (IaaS, PaaS, SaaS), deploy models (public, private, hybrid) and define the roles of CSP or CSC.
Risk Assessment - Identify specific threats like loss of visibility, multi-tenant leakage, dynamic provisioning risks, sub-processor dependency, and the assess the impact or likelihood.
Select Applicable Controls - Use the standard's guidance to layout the controls for both general and specific to the environment and give responsibilities.
Contrast /SLAs Alignment - Make sure the provider and customer contracts have shared responsibilities. Asset and data return or deletion plans of action, audit rights, monitoring obligations, and sub-processor transparency.
Implement Controls and Technical Measures - Have virtual machine hardening, segregation the environments, manage the lifecycle of assets in the cloud, have a monitoring or logging infrastructure, or change the framework managements.
Monitor, Audit, and Evidence - Collect evidence of effectiveness like audit reports, certificates, logs, and dashboards. Review the provider under scope and have periodic reviews and updates.
Continuous Improvement - Cloud technologies change fast (serverless, edge, and AI). Organizations must remain in control relevant like monitoring emerging risks and be ready to adapt to any updates Secureframe.

Certification and Compliance

It is important to know that ISO/IEC 27017 is a code of practice and not a certification in itself unlike ISO/IEC 27001 that defines requirements for management systems Vanta. Multiple cloud service providers include ISO/IEC 27017 in their portfolios and audits. Certification bodies often give a provider's ISMS under ISO/IEC 27001 and reference to ISO/IEC 27017 controls or reports. As an example, IBM Cloud issued an audit documentation for ISO/IEC 27017 IBM. Customers should proceed with cation when reviewing the scope of any certificate or audit statements to determine what services, regions, and controls are protected. ISO/IEC 27017 compliant certification helps the assurance and procurement decisions.

Benefits and Limitations

Benefits:

It enhances clarity in shared responsibilities of the models between CSPs and CSCs.
It gives a cloud-specific navigation and help reduce cloud-specific risks in security like multi-tenant exposure, data, remanence, and virtual asset misconfiguration.
It helps organizations align cloud with governance and operations with internationally accepts best-practice controls that leads to being more trustworthy, stakeholder confidence, and audit readiness BSI Group+1.
Used as a code of practice and does not mandate controls. Organizations interpret and use the navigation within their risk context.
In 2015, the edition may not fully reflect the latest cloud technologies like serverless, container orchestration, and edge computing. Continuous adaptation is needed 6clicks.com.

Some organizations treat ISO/IEC 27017 certification claims as the same to ISO/IEC 27001 certification because due diligence is needed to understand the audit coverages.

Relationships with Other Standards and Frameworks

ISO/IEC 27017 is mainly used in conjunction with several related standards:

ISO/IEC 27001: Needs requirements for establishing, implementing, maintaining, and improving an ISMS. Organizations layer ISO/IEC 27017 gives guidance to an ISMS that was built on ISO/IEC 27017 Vanta.
ISO/IEC 27002: give the controls objectives and the creation of guidance for general information security controls. ISO/IEC 27017 adapts these for cloud environments Microsoft Learn+1.
ISO/IEC 27018: gives a code of practice to protect personal identifiable information (PII) in pubic clouds acting as PII processors. ISO/IEC27017 is general for cloud security and 27018 is more focus on privacy/PII in the cloud Wikipedia+1.
Frameworks like Cloud Security Alliance (CSA) and Cloud Controls Matrix (CCM) commonly map their controls set to ISO/IEC 27017. A lot of cloud-compliance tools and vendor assurance frameworks use these mappings IT Governance.

Future Developments

In the future, ISO/IEC DIS 27017 (Edition 2) is scheduled to align with the standards with ISO/IEC 27002:2022 and update the cloud-specific controls to evolve severless architectures, muliti-cloud/hybrid deployments, edge computing, and AI services. Organizations should can anticipate that the future updates will incorporate more dynamic controls and have more emphasis on automation and improve the guidance for future models.

References

International Organization for Standardization (ISO). ISO/IEC 27017:2015 – Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services. ISO. ISO+2ISO+2
Microsoft. ISO/IEC 27017:2015 code of practice for information security controls. Microsoft Learn. Microsoft Learn+1
Google Cloud. ISO/IEC 27017 – compliance. Google Cloud. Google Cloud
IBM Cloud. ISO 27017 Compliance – IBM Cloud. IBM. IBM
BSI Group. ISO/IEC 27017 – Information Security for Cloud Services. BSI. BSI Group
IT Governance UK. ISO/IEC 27017 and ISO/IEC 27018 – Cloud security standards. IT Governance. IT Governance
Secureframe. How to Secure Your Cloud Infrastructure with ISO 27017 Compliance. Secureframe Blog. Secureframe
Sprinto. ISO 27017 – Security & Compliance Techniques. Sprinto Blog. Sprinto
NordLayer. ISO 27017: Cloud Protection Essentials. NordLayer article. NordLayer
6clicks. ISO 27017: Comprehensive Guide to Cloud Security Standards. 6clicks Resources. 6clicks.com
Barr Advisory. ISO 27000 Series: The Ins and Outs of ISO 27001, ISO 27002, ISO 27017 & ISO 27018. Barr Advisory. BARR Advisory
A-LIGN. Strengthening the Cloud: ISO 27017 and ISO 27018. A-LIGN article. A-LIGN
EUNETIC. Understanding ISO/IEC 27017: Cloud Service Security Standards. EUNETIC Knowledge Base. eunetic.com
Wikipedia contributors. ISO/IEC 27017. Wikipedia. Wikipedia
OECD (for example – you may add a standard-body or regulatory white-paper)
CSA / Cloud Security Alliance materials (add mapping of 27017)
Academic paper: “An Analysis of the Cloud Computing Security Problem” (Almorsy, Grundy, Müller, 2016) — covers cloud risk, helpful for context. arXiv
Academic paper: “Security and Privacy of Sensitive Data in Cloud Computing: A Survey of Recent Developments” (Gholami & Laure, 2016) — cloud security context. arXiv
Wikipedia contributors. ISO/IEC 27000 family. Wikipedia. Wikipedia

Additional source: e.g., ISMS.online article ISO/IEC 27017 Cloud Security Controls. ISMS.online

References

External links

ISO Website

^ DIN EN ISO/IEC 27017:2021-11, Informationstechnik_- Sicherheitsverfahren_- Anwendungsleitfaden für Informationssicherheitsmaßnahmen basierend auf ISO/IEC_27002 für Cloud Dienste (ISO/IEC_27017:2015); Deutsche Fassung EN_ISO/IEC_27017:2021, DIN Media GmbH, retrieved 2025-12-01

[1] DIN EN ISO/IEC 27017:2021-11, Informationstechnik_- Sicherheitsverfahren_- Anwendungsleitfaden für Informationssicherheitsmaßnahmen basierend auf ISO/IEC_27002 für Cloud Dienste (ISO/IEC_27017:2015); Deutsche Fassung EN_ISO/IEC_27017:2021, DIN Media GmbH, retrieved 2025-12-01

[1]

International Organization for Standardization (ISO) standards
List of ISO standards – ISO romanizations – IEC standards
1–9999	1 2 3 4 6 7 9 16 17 31 -0 -1 -3 -4 -5 -6 -7 -8 -9 -10 -11 -12 -13 68-1 128 216 217 226 228 233 259 261 262 302 306 361 500 518 519 639 -1 -2 -3 -5 -6 646 657 668 690 704 732 764 838 843 860 898 965 999 1000 1004 1007 1073-1 1073-2 1155 1413 1538 1629 1745 1989 2014 2015 2022 2033 2047 2108 2145 2146 2240 2281 2533 2709 2711 2720 2788 2848 2852 2921 3029 3103 3166 -1 -2 -3 3297 3307 3601 3602 3864 3901 3950 3977 4031 4157 4165 4217 4909 5218 5426 5427 5428 5725 5775 5776 5800 5807 5964 6166 6344 6346 6373 6385 6425 6429 6438 6523 6709 6943 7001 7002 7010 7027 7064 7098 7185 7200 7498 -1 7637 7736 7810 7811 7812 7813 7816 7942 8000 8093 8178 8217 8373 8501-1 8571 8583 8601 8613 8632 8651 8652 8691 8805/8806 8807 8820-5 8859 -1 -2 -3 -4 -5 -6 -7 -8 -8-I -9 -10 -11 -12 -13 -14 -15 -16 8879 9000/9001 9036 9075 9126 9141 9227 9241 9293 9314 9362 9407 9496 9506 9529 9564 9592/9593 9594 9660 9797-1 9897 9899 9945 9984 9985 9995
10000–19999	10006 10007 10116 10118-3 10160 10161 10165 10179 10206 10218 10279 10303 -11 -21 -22 -28 -238 10383 10585 10589 10628 10646 10664 10746 10861 10957 10962 10967 11073 11170 11172 11179 11404 11544 11783 11784 11785 11801 11889 11898 11940 (-2) 11941 11941 (TR) 11992 12006 12052 12182 12207 12234-2 12620 13211 -1 -2 13216 13250 13399 13406-2 13450 13485 13490 13567 13568 13584 13616 13816 13818 14000 14031 14224 14289 14396 14443 14496 -2 -3 -6 -10 -11 -12 -14 -17 -20 14617 14644 14649 14651 14698 14764 14882 14971 15022 15189 15288 15291 15398 15408 15444 -3 -9 15445 15438 15504 15511 15686 15693 15706 -2 15707 15897 15919 15924 15926 15926 WIP 15930 15938 16023 16262 16355-1 16485 16612-2 16750 16949 (TS) 17024 17025 17100 17203 17369 17442 17506 17799 18004 18014 18181 18245 18629 18760 18916 19005 19011 19092 -1 -2 19114 19115 19125 19136 19407 19439 19500 19501 19502 19503 19505 19506 19507 19508 19509 19510 19600 19752 19757 19770 19775-1 19794-5 19831
20000–29999	20000 20022 20121 20400 20802 20830 21000 21001 21047 21122 21500 21778 21827 22000 22275 22300 22301 22395 22537 23000 23003 23008 23009 23090-3 23092 23094-1 23094-2 23270 23271 23360 23941 24517 24613 24617 24707 24728 25178 25964 26000 26262 26300 26324 27000 series 27000 27001 27002 27005 27006 27729 28000 29110 29148 29199-2 29500
30000+	30170 31000 32000 37001 38500 39075 40314 40500 42010 45001 50001 55000 56000 80000
Category