In This Guide
- Why ISO 27017 Is Not a Standalone Certification
- How ISO 27017 "Certification" Works in Practice
- Including ISO 27017 Controls in the SoA
- Certificate Representation
- The Audit Process
- Stage 1 Considerations
- Stage 2 Considerations
- What Auditors Look For
- Timeline and Planning
- Common Certification Issues
- FAQ
- ISO 27017 does not have its own certification scheme — it is always implemented and audited as an extension to ISO 27001.
- The 7 additional cloud controls and selected extended controls are added to the ISO 27001 Statement of Applicability (SoA).
- The ISO 27001 certificate scope references ISO 27017, giving customers and stakeholders assurance of cloud-specific security controls.
- Adding ISO 27017 to an existing ISO 27001 audit typically adds 1-2 days to the audit duration.
- Auditors evaluate both documentation and operational evidence for cloud controls, with special focus on the shared responsibility model.
Why ISO 27017 Is Not a Standalone Certification
Unlike ISO 27001, which defines requirements for a management system and has a formal certification scheme, ISO 27017 is a code of practice — it provides guidance and additional controls but does not define management system requirements. This distinction is important:
| Aspect | ISO 27001 | ISO 27017 |
|---|---|---|
| Document Type | Requirements standard | Code of practice (guidance) |
| Certifiable | Yes — standalone certification | No — extension to ISO 27001 |
| Contains "shall" requirements | Yes (management system requirements) | No (implementation guidance) |
| Audit Basis | Certification audit (initial + surveillance) | Audited within ISO 27001 scope |
| Output | ISO 27001 certificate | Reference on ISO 27001 certificate/SoA |
This means you cannot obtain an "ISO 27017 certificate" in isolation. What you can do is implement ISO 27017 controls within your ISO 27001 ISMS, have them audited by your certification body, and have your certificate reference these controls. The practical effect is the same: you can demonstrate to customers that your cloud security controls have been independently audited.
How ISO 27017 "Certification" Works in Practice
The practical mechanism for ISO 27017 certification involves several interconnected elements:
Step 1: Extend Your ISMS Scope
Your ISMS scope must include cloud services — either the cloud services you provide (if you are a CSP) or the cloud services you consume (if you are a CSC). The scope statement should explicitly mention cloud computing activities.
Step 2: Conduct Cloud-Specific Risk Assessment
Extend your existing information security risk assessment to identify cloud-specific threats and vulnerabilities. This risk assessment drives the selection of ISO 27017 controls — just as the general risk assessment drives selection of Annex A controls.
Step 3: Select and Implement Controls
Based on the risk assessment, select applicable ISO 27017 controls. For most cloud-related scopes, all seven additional CLD controls will be applicable, plus relevant extended guidance for existing Annex A controls.
Step 4: Update the Statement of Applicability
Add selected ISO 27017 controls to your SoA. The SoA becomes the single document that maps both standard Annex A controls and ISO 27017 cloud controls, with justifications for inclusion or exclusion of each.
Step 5: Audit and Certification
Your certification body audits the ISO 27017 controls as part of the ISO 27001 certification (or surveillance) audit. Upon successful completion, the certificate references the ISO 27017 controls.
Including ISO 27017 Controls in the Statement of Applicability
The Statement of Applicability (SoA) is the critical document that links ISO 27017 to ISO 27001 certification. Here is how to structure it effectively:
SoA Structure for ISO 27017
Your SoA should include separate sections or clearly identified entries for:
- Standard Annex A controls (ISO 27001): The 93 controls from Annex A with applicability justification
- ISO 27017 additional controls: The 7 CLD controls with applicability justification
- ISO 27017 extended guidance: Notes on which Annex A controls have been implemented with ISO 27017 cloud-specific guidance
For Each ISO 27017 Control, Document:
- Control reference: The CLD control number and name
- Applicability: Whether it applies (and if not, justification for exclusion)
- Implementation status: Current implementation level
- Responsibility: Whether the control applies to CSP role, CSC role, or both
- Implementation description: How the control is implemented
- Evidence reference: Pointer to evidence demonstrating implementation
Organize your SoA in a single document that includes ISO 27001 Annex A controls, ISO 27017 CLD controls, and (if applicable) ISO 27018 controls. This gives auditors a comprehensive view and ensures no control gaps between the standards. Version-control the SoA and review it at least annually or when cloud services change.
Certificate Representation
How ISO 27017 appears on your ISO 27001 certificate varies slightly between certification bodies, but follows common patterns:
Typical Certificate Formats
- Scope statement: The certificate scope explicitly references ISO 27017, e.g., "...in accordance with ISO/IEC 27001:2022 with controls from ISO/IEC 27017:2015"
- SoA reference: The certificate references the SoA version that includes ISO 27017 controls
- Supplementary statement: Some certification bodies issue a supplementary statement confirming ISO 27017 compliance alongside the ISO 27001 certificate
What the Certificate Communicates
To customers and stakeholders, a certificate referencing ISO 27017 communicates that:
- The organization has an ISO 27001-certified ISMS
- Cloud-specific security controls from ISO 27017 are included in the ISMS scope
- These cloud controls have been independently audited by an accredited certification body
- The shared responsibility model has been documented and reviewed
When marketing your certification, be accurate. You can say "ISO 27001 certified with ISO 27017 cloud security controls" — you should not say "ISO 27017 certified" as this implies a standalone certification that does not exist.
The Audit Process
The audit process for ISO 27017 controls is integrated into the standard ISO 27001 certification audit. Here is how it works at each stage:
Pre-Audit Considerations
Before the audit begins, ensure:
- The certification body has been informed that ISO 27017 is in scope
- Auditors assigned to the engagement have cloud security competence
- The SoA including ISO 27017 controls has been provided to the audit team
- Audit duration has been adjusted to accommodate cloud control assessment
Stage 1 Audit Considerations for ISO 27017
During Stage 1 (documentation review), the audit team assesses readiness for the Stage 2 audit. For ISO 27017, they will specifically review:
Documentation Reviewed
- ISMS scope: Confirms cloud services are explicitly included
- Statement of Applicability: Verifies ISO 27017 controls are listed with justifications
- Cloud security policy: Reviews whether cloud-specific security policies exist and are aligned with ISO 27017
- Shared responsibility documentation: Checks that responsibility matrices or agreements are in place
- Risk assessment: Confirms cloud-specific risks have been identified and assessed
- Cloud service inventory: Verifies documentation of cloud services provided or consumed
Stage 1 Outcomes Specific to ISO 27017
The Stage 1 audit may identify areas of concern that must be addressed before Stage 2, such as:
- Missing shared responsibility documentation
- ISO 27017 controls not included in the SoA
- Cloud-specific risks not addressed in the risk assessment
- Insufficient cloud security policies or procedures
Stage 2 Audit Considerations for ISO 27017
Stage 2 is the main audit where auditors verify that controls are not only documented but operationally effective. For ISO 27017 controls, auditors take a practical, evidence-based approach:
Evidence Examination
For each applicable CLD control and extended ISO 27002 control, auditors will request and examine:
- Policies and procedures specific to the control
- Configuration evidence (screenshots, exports, or live demonstrations)
- Records of monitoring, review, and improvement activities
- Interview responses from personnel with cloud security responsibilities
Typical Stage 2 Activities for Cloud Controls
- Walk-through demonstrations: Auditors may ask to see the cloud management console, monitoring dashboards, and administrative access controls
- Interviews: Cloud operations team, security team, and management will be interviewed about cloud security practices
- Sample testing: Auditors may sample specific VM configurations, network security group rules, or access reviews
- Evidence review: Examination of logs, incident records, change management records, and review minutes
What Auditors Look For: Common Focus Areas
Based on our experience auditing organizations against ISO 27017, here are the areas that receive the most scrutiny:
1. Shared Responsibility Documentation
Auditors want to see a clear, maintained shared responsibility matrix. Vague or generic documentation is insufficient — the matrix must be specific to each cloud service and reflect actual contractual arrangements.
2. Evidence of Control Operation
Documentation alone is insufficient. Auditors seek evidence that controls are operating: monitoring alerts being reviewed, access reviews being conducted, VMs being patched, and incident response being tested.
3. Cloud-Specific Risk Treatment
The risk assessment must identify cloud-specific risks (multi-tenancy, data sovereignty, provider dependency, API security) and demonstrate that selected ISO 27017 controls adequately treat these risks.
4. Integration with Existing ISMS
Cloud security controls should be integrated with the existing ISMS — not operating as a parallel system. Internal audits should cover cloud controls, management reviews should discuss cloud security, and improvement actions should address cloud-specific findings.
5. Competence and Awareness
Staff involved in cloud operations must demonstrate competence in cloud security and awareness of their responsibilities under the shared responsibility model. Training records and competence assessments are commonly reviewed.
Timeline and Planning
Scenario 1: Adding ISO 27017 to an Existing ISO 27001 Certificate
| Phase | Duration | Activities |
|---|---|---|
| Gap Analysis | 2-3 weeks | Assess current cloud practices against ISO 27017 |
| Implementation | 4-8 weeks | Implement controls, update SoA, document responsibilities |
| Internal Audit | 1-2 weeks | Audit cloud controls before certification |
| Certification Audit | 1-2 weeks | External audit (can align with surveillance audit) |
| Total | 2-4 months |
Scenario 2: Pursuing ISO 27001 + ISO 27017 Together
| Phase | Duration | Activities |
|---|---|---|
| Planning & Scoping | 2-4 weeks | Define ISMS scope including cloud services, initial gap analysis |
| Risk Assessment | 3-4 weeks | Comprehensive risk assessment covering general and cloud-specific risks |
| Control Implementation | 8-16 weeks | Implement Annex A + ISO 27017 controls, develop policies and procedures |
| Operation & Evidence | 4-8 weeks | Operate controls, gather evidence, conduct management review |
| Internal Audit | 2-3 weeks | Full ISMS internal audit including cloud controls |
| Certification Audit | 2-4 weeks | Stage 1 + Stage 2 audit |
| Total | 6-10 months |
Aligning with Surveillance Audits
If you already hold ISO 27001 certification, the most efficient time to add ISO 27017 is during a surveillance or recertification audit. This avoids scheduling a separate audit event and integrates the cloud control assessment into the existing audit cycle.
Common Certification Issues and How to Avoid Them
Issue 1: Generic Shared Responsibility Documentation
Problem: Using template or vendor-generic responsibility matrices without tailoring them to the specific services and contractual arrangements in use.
Solution: Create service-specific responsibility matrices that reflect actual contractual terms. Review and update them when services change.
Issue 2: Missing Cloud-Specific Risk Assessment
Problem: The risk assessment covers general information security risks but does not identify cloud-specific threats (e.g., shared infrastructure, data residency, API exposure).
Solution: Extend the risk assessment methodology to include cloud threat scenarios. Use ISO 27017 controls as a starting point for identifying cloud risks.
Issue 3: Controls Not Operational
Problem: ISO 27017 controls are documented but not yet operational — no monitoring data, no administrative access reviews conducted, no VM hardening evidence.
Solution: Allow sufficient time between implementation and audit for controls to operate and generate evidence. A minimum of 2-3 months of operational evidence is recommended.
Issue 4: Inadequate Auditor Competence
Problem: The assigned audit team does not have cloud security expertise, leading to superficial assessment of technical controls.
Solution: Confirm with your certification body that auditors assigned to the ISO 27017 scope have demonstrated cloud security competence.
Issue 5: Cloud Controls Disconnected from ISMS
Problem: Cloud security controls operate separately from the ISMS — not included in internal audits, management reviews, or improvement cycles.
Solution: Ensure cloud controls are fully integrated into ISMS processes: internal audit program, management review agenda, corrective action process, and continual improvement.
Frequently Asked Questions
Can you get ISO 27017 certified without ISO 27001?
No. ISO 27017 does not have a standalone certification scheme. It is implemented within an ISO 27001 ISMS by including ISO 27017 controls in the Statement of Applicability. The certification is always ISO 27001 with ISO 27017 controls referenced in the scope or certificate.
How does ISO 27017 appear on the ISO 27001 certificate?
The ISO 27001 certificate's scope statement references ISO 27017 controls, typically stating that the ISMS includes controls from ISO/IEC 27017:2015. The Statement of Applicability lists all applicable ISO 27017 controls alongside the standard Annex A controls.
How long does ISO 27017 certification take?
If you already have ISO 27001, adding ISO 27017 typically takes 2-4 months for implementation plus audit time. If pursuing both together, expect 6-10 months. The audit itself adds 1-2 days to the standard ISO 27001 audit duration.
Does adding ISO 27017 increase audit time?
Yes, modestly. Adding ISO 27017 controls typically adds 1-2 audit days to the ISO 27001 audit. Auditors need to verify cloud-specific controls, review shared responsibility documentation, and examine operational evidence for CLD controls.
What happens during the Stage 2 audit for ISO 27017?
During Stage 2, auditors verify that ISO 27017 controls are operationally effective. They examine evidence of shared responsibility implementation, interview cloud operations staff, review monitoring and logging capabilities, verify segregation controls, and check administrative access management in cloud environments.