ISO 27017: Cloud Security Controls for Your ISMS
Cloud-specific controls that extend your ISMS
ISO 27017 adds cloud-specific security guidance to ISO 27001. If your organization provides cloud services or relies heavily on cloud infrastructure, ISO 27017 fills the gaps that the base standard does not address on its own - shared responsibility between provider and customer, virtual environment segregation, cloud monitoring, and asset removal when contracts end. It is not a standalone standard. It extends your existing ISMS with additional controls and implementation guidance specifically designed for cloud environments.
How ISO 27017 fits in the ISO 27000 family
Understanding where ISO 27017 sits helps you decide whether you need it:
ISO 27001 sets out the requirements for your ISMS - the management system that governs how you identify risks, select controls, and continuously improve your security posture.
ISO 27002 provides the implementation guidance for the controls in ISO 27001 Annex A. It tells you how to implement each control in practice.
ISO 27017 extends ISO 27002 with additional implementation guidance for cloud environments. It adds cloud-specific context to 37 existing controls and introduces additional controls that only apply to cloud services.
ISO 27018 covers privacy protection for personal data in the cloud - it is the cloud equivalent of what ISO 27701 does for privacy management generally.
ISO 27017 is not independently certifiable. You implement it as an extension to your ISO 27001 certification by including cloud-specific controls in your Statement of Applicability.
What ISO 27017 adds
ISO 27017 contributes two types of guidance:
Cloud-specific implementation guidance for existing controls. For 37 of the controls already in ISO 27002, ISO 27017 provides additional cloud-specific context. For example, the access control guidance expands to cover identity federation across cloud platforms, and the asset management guidance addresses data stored in shared infrastructure.
Additional cloud-only controls. ISO 27017 introduces controls that have no equivalent in ISO 27002. These address challenges unique to cloud computing:
| Control | What it covers |
|---|---|
| Shared roles and responsibilities | Defines which security responsibilities belong to the cloud provider and which to the customer, documented in agreements |
| Asset removal | Ensures customer data and assets are securely returned or deleted when a cloud contract ends or migrates |
| Virtual environment segregation | Requires proper isolation between tenants in multi-tenant environments - network, storage, compute |
| Administrator operational security | Secures privileged administrative operations on cloud infrastructure through supervision, logging, and procedures |
| Cloud service monitoring | Requires capabilities for customers to monitor service usage, security events, and configuration changes |
| Virtual network security | Ensures security controls on virtual networks are consistent with those on the underlying physical infrastructure |
Each control includes separate implementation guidance for cloud service customers (CSC) and cloud service providers (CSP). This dual perspective is one of ISO 27017’s most practical features - it tells you exactly what to do whether you are consuming or providing the service.
Customer vs provider responsibilities
The shared responsibility model is central to ISO 27017. For every control, the standard clearly states what the provider should implement and what the customer needs to handle.
As a cloud service provider, your responsibilities typically include: infrastructure security, hypervisor and platform hardening, physical security of data centers, tenant isolation at the infrastructure level, providing monitoring and logging capabilities to customers, and secure asset disposal when contracts end.
As a cloud service customer, you are responsible for: configuring access controls for your users and workloads, classifying and protecting your data within the cloud environment, monitoring your own security events using the tools the provider offers, managing encryption keys for data you control, and ensuring your own applications deployed in the cloud follow secure development practices.
Many organizations act as both. A SaaS company is a cloud customer (using AWS or Azure infrastructure) and a cloud provider (delivering its application to end users). In that case, you need controls from both perspectives - customer-side controls for your infrastructure dependencies and provider-side controls for the service you deliver.
ISO 27017 vs ISO 27018 vs C5
If you are evaluating cloud security frameworks, you will encounter all three. They serve different purposes:
| Aspect | ISO 27017 | ISO 27018 | C5 |
|---|---|---|---|
| Focus | Cloud security controls | Cloud privacy (PII protection) | Cloud security attestation |
| Published by | ISO/IEC | ISO/IEC | BSI (Germany) |
| Type | Extension to ISO 27001/27002 | Extension to ISO 27001/27002 | Independent attestation |
| Certifiable independently | No (part of ISO 27001) | No (part of ISO 27001) | Yes (own attestation report) |
| Primary audience | Global | Global | Germany/EU |
| Covers shared responsibility | Yes, extensively | Partially | Yes |
| Number of controls | 37 extended + additional cloud controls | Privacy-specific extensions | 121 criteria across 17 domains |
When you need ISO 27017: You are a cloud provider or heavy cloud user and want to extend your ISO 27001 certification with cloud-specific controls recognized globally.
When you need ISO 27018: You process personal data in the cloud and need to demonstrate cloud-specific privacy controls - particularly useful alongside GDPR compliance.
When you need C5: You serve German public sector, healthcare, or enterprise clients who require BSI’s attestation framework specifically.
Many cloud service providers targeting European markets implement all three. The overlap with your existing ISO 27001 controls means the incremental effort for each additional framework is manageable.
Practical implementation
If you already have an ISO 27001 ISMS, adding ISO 27017 is a structured extension rather than a separate project:
Extend your scope statement. Clarify which cloud services are in scope - both the cloud services you consume (IaaS, PaaS, SaaS platforms) and any cloud services you provide.
Update your risk assessment. Add cloud-specific risk scenarios: what happens if your cloud provider has a breach, if tenant isolation fails, if data is not deleted after contract termination, or if administrative credentials for your cloud environment are compromised. These risks feed into your treatment plan.
Extend your Statement of Applicability. Add the ISO 27017 cloud-specific controls to your SoA alongside your existing ISO 27001 Annex A controls. For each one, document whether it applies, your justification, and how it is implemented. This is where the dual CSC/CSP guidance is particularly useful - pick the perspective that matches your role.
Review supplier agreements. ISO 27017 emphasizes that shared responsibility must be documented. Review your cloud provider contracts to ensure they cover security responsibilities, data location, incident notification, and asset return or deletion on termination. This aligns with Annex A controls A.5.19 through A.5.22 on supplier management.
Update documentation. You will likely need updated or new policies for cloud-specific areas: cloud acceptable use, virtual environment management, cloud monitoring, and data portability procedures.
For organizations with a mature ISO 27001 ISMS, implementing ISO 27017 typically adds 4-8 weeks of work - primarily around documentation, supplier agreement review, and extending the SoA. The technical controls are often already in place from your existing cloud security practices.
How 27kay can help
We help cloud service providers and cloud-dependent organizations extend their ISO 27001 ISMS with ISO 27017 cloud security controls. Whether you need a gap analysis against the cloud-specific controls, help structuring your shared responsibility documentation, or guidance on combining ISO 27017 with C5 or ISO 27018, we will design an approach that fits your cloud architecture.
Need cloud-specific security controls in your ISMS? Let’s talk - we will assess what you already have and build a practical plan to close the gaps.