Key Takeaways
  • ISO 27017 introduces 7 cloud-specific controls (CLD.6.3.1 through CLD.13.1.4) addressing risks unique to cloud computing environments.
  • Each control has distinct requirements for cloud service providers (CSPs) and cloud service customers (CSCs).
  • The shared responsibility model shifts significantly across IaaS, PaaS, and SaaS — responsibilities that fall on the customer in IaaS move to the provider in SaaS.
  • Auditors expect evidence of both control implementation and documented responsibility allocation for every applicable control.
  • Organizations that are both CSP and CSC must implement ISO 27017 from both perspectives simultaneously.

Introduction

ISO/IEC 27017:2015 is structured around two types of security guidance: extended implementation guidance for existing ISO 27002 controls and seven entirely new cloud-specific controls. This guide provides a comprehensive walkthrough of each additional control and the key extended controls, with a focus on how responsibilities are divided between cloud service providers and their customers.

Understanding these controls in detail is essential for three audiences:

  • Cloud service providers building their control framework for ISO 27001 certification with ISO 27017
  • Cloud service customers evaluating provider controls and implementing their own cloud security measures
  • Auditors and consultants assessing ISO 27017 compliance in certification or advisory engagements

For each of the seven additional controls below, we cover: what the control requires, CSP responsibilities, CSC responsibilities, and typical evidence examples that auditors look for during certification.

The 7 Additional Cloud Controls — Detailed Walkthrough

CLD.6.3.1 — Shared Roles and Responsibilities Within a Cloud Computing Environment

What This Control Requires

This is the foundational control of ISO 27017. It requires that information security roles and responsibilities as they relate to cloud services be clearly defined, documented, and communicated to all relevant parties. The division must cover all control areas — not just the seven CLD controls, but every security domain.

The control recognizes that cloud computing creates a fundamentally different security governance model compared to traditional IT. When an organization consumes cloud services, the security perimeter extends beyond the organization's direct control, creating potential gaps unless responsibilities are explicitly assigned.

CSP Responsibilities

  • Publish clear documentation of security responsibilities the CSP assumes for each service
  • Define what the CSC is responsible for and communicate this transparently
  • Provide a shared responsibility model document as part of service documentation
  • Update responsibility documentation when services change
  • Ensure staff understand the boundary between provider and customer responsibilities

CSC Responsibilities

  • Review and understand the CSP's published responsibility model
  • Map CSP responsibilities against internal security requirements to identify gaps
  • Implement controls for all responsibilities that fall to the customer
  • Document an internal view of the shared responsibility allocation
  • Include shared responsibility review in cloud service procurement and renewal processes

Evidence Examples

  • Shared responsibility matrix document
  • Service agreements referencing security responsibilities
  • Internal RACI chart for cloud security controls
  • Records of responsibility reviews during service procurement
  • Communication records demonstrating stakeholder awareness

CLD.8.1.5 — Removal of Cloud Service Customer Assets

What This Control Requires

When a cloud service agreement ends — whether through planned migration, contract termination, or service discontinuation — customer assets (data, configurations, customizations, and metadata) must be handled securely. This control ensures that customers can retrieve their data and that providers securely delete all copies after an agreed period.

This control addresses a significant cloud risk: data remnants persisting on provider infrastructure after a customer relationship ends. In multi-tenant environments, incomplete data removal could expose sensitive information to subsequent tenants or to the provider itself.

CSP Responsibilities

  • Define and publish data return procedures and supported export formats
  • Provide mechanisms for customers to export their data in a usable format
  • Implement secure data deletion procedures for all customer data upon contract termination
  • Ensure deletion covers primary storage, backups, replicas, caches, and logs containing customer data
  • Define and communicate the timeline for data availability during the transition period and final deletion
  • Provide confirmation or certification of data deletion upon request

CSC Responsibilities

  • Understand the provider's data return and deletion procedures before entering agreements
  • Negotiate adequate data transition periods in service contracts
  • Plan and execute data migration or export before contract termination
  • Request and retain confirmation of data deletion from the provider
  • Include data portability and exit requirements in cloud procurement criteria

Evidence Examples

  • Data return and deletion policy
  • Contractual clauses on data handling at termination
  • Data export procedures and format documentation
  • Certificates of data destruction issued to departing customers
  • Records of actual data deletion activities for past customer transitions

CLD.9.5.1 — Segregation in Virtual Computing Environments

What This Control Requires

A cloud service customer's virtual computing environment must be protected from other customers and unauthorized persons. This control is critical in multi-tenant architectures where multiple customers share the same physical infrastructure. The segregation must be strong enough to prevent cross-tenant data access, side-channel attacks, and resource interference.

CSP Responsibilities

  • Implement logical separation between tenant environments using appropriate isolation technologies (hypervisors, containers, namespaces, VLANs)
  • Ensure compute isolation prevents one tenant's workloads from accessing another tenant's memory, processes, or storage
  • Implement network segregation to prevent inter-tenant traffic unless explicitly authorized
  • Maintain storage separation so that one tenant cannot access another's data volumes or object stores
  • Regularly test segregation controls through penetration testing and vulnerability assessments
  • Document the segregation architecture and make relevant details available to customers

CSC Responsibilities

  • Evaluate the provider's segregation architecture and assess whether it meets risk requirements
  • Request information about the provider's multi-tenancy approach during procurement
  • Implement additional segregation within allocated environments where needed (e.g., network micro-segmentation within the customer's VPC)
  • Include segregation requirements in procurement criteria and service agreements

Evidence Examples

  • Segregation architecture documentation
  • Hypervisor and container isolation configuration records
  • Network segmentation diagrams showing tenant boundaries
  • Penetration test reports specifically testing cross-tenant access
  • Security architecture reviews of multi-tenancy controls

CLD.9.5.2 — Virtual Machine Hardening

What This Control Requires

Virtual machines provisioned and used within cloud environments must be hardened to meet the organization's security requirements. This includes securing VM images, applying baseline configurations, disabling unnecessary services, and maintaining patch currency — all adapted for the unique challenges of virtualized environments.

CSP Responsibilities

  • Provide hardened base VM images (golden images) for customer use
  • Define and publish VM hardening guidelines for customers who build their own images
  • Harden the provider's own management VMs and infrastructure VMs
  • Implement processes for maintaining and patching base images
  • Monitor for vulnerabilities in provider-managed VM images and publish advisories
  • Control access to VM image repositories and signing mechanisms

CSC Responsibilities

  • Use provider-supplied hardened images or apply documented hardening standards to custom images
  • Maintain a VM image lifecycle process including regular updates and re-hardening
  • Disable unnecessary services and ports on provisioned VMs
  • Apply security patches to customer-managed VMs in a timely manner
  • Implement configuration management to detect drift from hardening baselines

Evidence Examples

  • VM hardening standards and baseline configurations
  • Golden image management procedures
  • Patch management records for virtual machines
  • Configuration compliance scan results
  • Vulnerability assessment reports for VM images

CLD.12.1.5 — Administrator's Operational Security

What This Control Requires

Cloud administrative operations carry elevated risk because administrators have privileged access that can affect multiple customers simultaneously. This control requires that procedures for administrative operations be defined, documented, and monitored, with controls proportionate to the impact of administrative actions on the security of cloud services.

CSP Responsibilities

  • Define and document all critical administrative operations and associated procedures
  • Implement privileged access management (PAM) for cloud administrative accounts
  • Enforce multi-factor authentication and session controls for administrative access
  • Implement and maintain audit logging for all administrative actions
  • Apply the principle of least privilege to administrative roles
  • Implement break-glass procedures for emergency administrative access
  • Conduct regular reviews of administrative access rights
  • Segregate administrative duties to prevent single-person control over critical functions

CSC Responsibilities

  • Implement privileged access controls for customer-side cloud administration
  • Manage access to cloud management consoles, APIs, and dashboards
  • Monitor and log administrative actions performed by customer administrators
  • Regularly review administrative access rights and remove unnecessary privileges
  • Assess the provider's administrative security practices as part of vendor due diligence

Evidence Examples

  • Privileged access management policies and procedures
  • Administrative access review records
  • MFA configuration evidence for administrative accounts
  • Audit logs of administrative operations
  • Break-glass procedure documentation and usage records

CLD.12.4.5 — Monitoring of Cloud Services

What This Control Requires

Cloud service customers must have the capability to monitor specified aspects of cloud service operations that are relevant to their security and compliance requirements. This control ensures transparency from the CSP and monitoring capability for the CSC — addressing the visibility gap that occurs when workloads move from on-premises to cloud.

CSP Responsibilities

  • Define and publish what monitoring data and capabilities are available to customers
  • Provide access to service availability, performance, and capacity metrics
  • Offer security event and audit log access or export capabilities
  • Implement service health dashboards and status pages
  • Provide APIs or integrations for customer monitoring tools
  • Notify customers of security incidents that affect their environments
  • Define monitoring data retention periods and archival options

CSC Responsibilities

  • Identify monitoring requirements based on risk assessment and compliance obligations
  • Evaluate the provider's monitoring capabilities against requirements during procurement
  • Implement monitoring solutions that leverage provider-supplied data and tools
  • Integrate cloud monitoring with existing enterprise SIEM and monitoring infrastructure
  • Define alerting thresholds and incident response triggers for cloud-specific events
  • Regularly review monitoring effectiveness and coverage

Evidence Examples

  • Monitoring capability documentation and service catalogs
  • Customer-accessible dashboard configurations
  • Security event log export procedures
  • SIEM integration evidence for cloud log sources
  • Alerting rules and escalation procedures for cloud services

CLD.13.1.4 — Alignment of Security Management for Virtual and Physical Networks

What This Control Requires

Security management for virtual networks must be consistent with policies and practices for physical networks. This control recognizes that virtual networking (software-defined networking, virtual firewalls, virtual switches) introduces complexities and risks that must be managed with the same rigor as physical network infrastructure.

CSP Responsibilities

  • Apply consistent security policies across virtual and physical network components
  • Implement change management processes that cover virtual network configuration changes
  • Monitor virtual network traffic with the same thoroughness as physical network traffic
  • Apply firewall rules, access controls, and segmentation consistently in both domains
  • Include virtual network components in vulnerability assessments and penetration testing
  • Document the virtual network architecture and security controls

CSC Responsibilities

  • Apply organizational network security policies to virtual network configurations within the customer's cloud environment
  • Implement security groups, NACLs, and virtual firewalls according to security policy
  • Monitor virtual network traffic within the customer's allocated environment
  • Include cloud virtual networking in network security assessments
  • Evaluate the provider's virtual network security architecture

Evidence Examples

  • Network security policies covering both physical and virtual environments
  • Virtual network architecture diagrams and security control documentation
  • Change management records for virtual network configurations
  • Virtual firewall and security group rule documentation
  • Network security assessment reports including virtual components

Key Extended ISO 27002 Controls for Cloud

Beyond the 7 CLD controls, ISO 27017 provides significant cloud-specific extensions to existing ISO 27002 controls. Here are the most impactful:

A.9.2 — User Access Management (Cloud Extension)

CSP: Provide identity management integration capabilities (SSO, SAML, OIDC). Document identity federation options. Enforce strong authentication for management console access.

CSC: Integrate cloud identity management with enterprise IAM. Implement role-based access control for cloud resources. Regularly review and recertify cloud access rights.

A.10.1 — Cryptographic Controls (Cloud Extension)

CSP: Provide encryption options for data at rest and in transit. Offer key management services. Document which encryption is provider-managed vs customer-managed. Support customer-managed encryption keys (BYOK/HYOK).

CSC: Define encryption requirements for cloud-stored data. Evaluate provider encryption options against requirements. Implement customer-managed encryption keys where the risk assessment warrants it. Manage key lifecycle for customer-controlled keys.

A.12.3 — Information Backup (Cloud Extension)

CSP: Document backup capabilities, frequencies, and retention options. Define geographic location of backups. Provide restore procedures and test restore capabilities.

CSC: Define backup requirements for cloud-hosted data. Verify that provider backup practices meet recovery objectives. Implement independent backup solutions where provider capabilities are insufficient. Regularly test restore procedures.

A.15.1 — Supplier Relationships (Cloud Extension)

CSP: Disclose sub-processor and supply chain dependencies. Define security requirements for the CSP's own suppliers. Notify customers of material supply chain changes.

CSC: Evaluate the CSP's supply chain security. Include supply chain requirements in procurement criteria. Monitor for supply chain risk changes. Assess sub-processor security practices.

A.16.1 — Information Security Incident Management (Cloud Extension)

CSP: Define incident notification procedures and timelines. Provide forensic support capabilities. Coordinate incident response with affected customers.

CSC: Integrate cloud incident response with enterprise incident management. Define escalation procedures for cloud security incidents. Understand the provider's incident notification commitments.

Shared Responsibility Matrix by Service Model

The following matrix illustrates how security responsibilities shift across IaaS, PaaS, and SaaS models. This is a generalized view — specific allocations vary by provider and service.

Control Domain IaaS PaaS SaaS
Physical Facility Security CSP CSP CSP
Hypervisor / Host OS CSP CSP CSP
Network Infrastructure CSP CSP CSP
Virtual Network Configuration Shared CSP (mostly) CSP
Guest OS Patching CSC CSP CSP
Middleware / Runtime CSC CSP CSP
Application Security CSC CSC CSP
Data Encryption at Rest CSC Shared CSP (mostly)
Identity & Access Management Shared Shared Shared
Data Classification CSC CSC CSC
User Access Provisioning CSC CSC CSC
Logging & Monitoring Shared Shared Shared
Incident Response Shared Shared Shared
Backup & Recovery CSC Shared CSP (mostly)
Compliance & Audit Shared Shared Shared

Identity and access management, incident response, logging, and compliance are always shared responsibilities regardless of service model. The customer always retains responsibility for data classification and user access decisions. These are areas where gaps most commonly appear during audits.

ISO 27017 Additional Controls — Summary Comparison

Control Primary Risk Addressed CSP Focus CSC Focus
CLD.6.3.1 Responsibility ambiguity Publish responsibilities Review and accept responsibilities
CLD.8.1.5 Data remnants after termination Secure deletion and data return Migration planning and deletion verification
CLD.9.5.1 Cross-tenant data leakage Tenant isolation architecture Evaluate and supplement segregation
CLD.9.5.2 Insecure VM configurations Hardened images and guidelines Hardening and patching VMs
CLD.12.1.5 Privileged access abuse PAM, MFA, logging, duty segregation Console access controls and monitoring
CLD.12.4.5 Visibility gap in cloud Monitoring data and tooling Monitoring implementation and integration
CLD.13.1.4 Inconsistent network security Policy alignment across virtual/physical Virtual network security configuration

Frequently Asked Questions

What are the 7 additional cloud controls in ISO 27017?

The 7 additional controls are: CLD.6.3.1 (shared roles and responsibilities), CLD.8.1.5 (removal of cloud service customer assets), CLD.9.5.1 (segregation in virtual computing environments), CLD.9.5.2 (virtual machine hardening), CLD.12.1.5 (administrator's operational security), CLD.12.4.5 (monitoring of cloud services), and CLD.13.1.4 (alignment of security management for virtual and physical networks).

How does shared responsibility differ across IaaS, PaaS, and SaaS?

In IaaS, the customer retains most security responsibilities above the hypervisor, including OS, applications, and data. In PaaS, responsibility shifts more to the provider who manages the platform and runtime. In SaaS, the provider handles nearly everything while the customer manages user access, data classification, and configuration. Identity management and incident response remain shared across all models.

What evidence do auditors expect for ISO 27017 controls?

Auditors expect a documented shared responsibility matrix, evidence of control implementation for each applicable CLD control (policies, procedures, configurations, monitoring outputs), service agreements reflecting responsibilities, and records of review and continuous improvement. They will examine both documentation and operational evidence.

Can an organization be both a CSP and a CSC?

Yes. Many organizations act as both. For example, a SaaS company is a CSP to its customers but a CSC when it uses IaaS or PaaS from infrastructure providers. ISO 27017 must be implemented from both perspectives where applicable, with separate responsibility matrices for each direction.

How do I create a shared responsibility matrix?

List all applicable ISO 27017 controls and relevant ISO 27002 controls in a matrix. For each control, designate whether the CSP, CSC, or both are responsible, including the specific actions each party must take. Align the matrix with your service model (IaaS/PaaS/SaaS), validate it against contractual agreements, and review it regularly as services evolve.

ISO 27017 Cloud Security Shared Responsibility