What is ISO 27017? Cloud Security Controls Explained

What is ISO/IEC 27017?

ISO/IEC 27017:2015 is an international standard titled "Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services." In practical terms, it is the definitive guide for implementing information security controls in cloud computing environments.

While ISO 27002 provides general information security control guidance, ISO 27017 takes those same controls and adds cloud-specific implementation considerations. It also introduces seven entirely new controls that address risks unique to cloud computing — risks that did not exist when the original ISO 27002 controls were conceived.

The standard is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that provide or use cloud services. Whether you are a major infrastructure-as-a-service provider or a startup consuming SaaS tools, ISO 27017 provides relevant security guidance.

History and Development

The development of ISO 27017 reflects the rapid evolution of cloud computing and the growing need for standardized cloud security guidance:

Timeline of Cloud Security Standardization

• 2005: ISO/IEC 27002:2005 published — provided general information security controls but with no cloud-specific guidance
• 2011: Cloud computing adoption accelerated, exposing gaps in existing security frameworks that did not address multi-tenancy, virtualization, and shared infrastructure risks
• 2012: ISO/IEC 27018:2014 development began — focused on protection of personally identifiable information (PII) in public clouds
• 2014: ISO/IEC 27018 published as the first cloud-specific privacy standard
• 2015: ISO/IEC 27017:2015 published — providing the comprehensive cloud security control framework
• 2022: ISO/IEC 27002:2022 published with restructured controls — ISO 27017 still references the 2013/2015 structure but remains valid and widely used

ISO 27017 was developed by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. The standard drew upon existing work from national bodies and industry groups, including contributions from the Cloud Security Alliance (CSA) and various national standards organizations.

The standard filled a critical gap: organizations needed cloud-specific security guidance that was internationally recognized, technology-neutral, and aligned with the existing ISO 27000 family of standards. Before ISO 27017, organizations relied on a patchwork of vendor-specific best practices and industry frameworks that lacked the formal recognition of an ISO standard.

Relationship to ISO 27001 and ISO 27002

Understanding how ISO 27017 fits within the ISO 27000 family is essential for effective implementation:

The ISO 27000 Family Hierarchy for Cloud

How ISO 27017 Extends ISO 27002

ISO 27017 follows the same control structure as ISO 27002 (clauses 5-18). For each existing ISO 27002 control, ISO 27017 may provide:

• Cloud service provider guidance: Additional implementation considerations specific to operating cloud services
• Cloud service customer guidance: Additional implementation considerations for organizations using cloud services
• No additional guidance: Where the existing ISO 27002 guidance is sufficient for cloud contexts

This structure makes ISO 27017 highly practical: security teams already familiar with ISO 27002 can layer on cloud-specific guidance without learning an entirely new framework.

How ISO 27017 Connects to ISO 27001

ISO 27001 is the certifiable management system standard. It requires organizations to select controls from Annex A (which references ISO 27002) and document them in a Statement of Applicability (SoA). When implementing ISO 27017:

1. The 7 additional cloud controls from ISO 27017 are added to the SoA alongside standard Annex A controls
2. Extended cloud guidance informs how existing Annex A controls are implemented in cloud contexts
3. The ISO 27001 certificate can reference ISO 27017 controls in its scope

ISO 27017 does not have its own certification scheme. Organizations implement it within their ISO 27001 ISMS and the certification body audits the cloud controls as part of the ISO 27001 audit.

Who Needs ISO 27017?

ISO 27017 is relevant to two primary audiences, each with distinct motivations:

Cloud Service Providers (CSPs)

Organizations that deliver cloud computing services to customers, including:

• Infrastructure providers (IaaS): Companies providing virtual machines, storage, and networking (e.g., data center operators, hosting providers)
• Platform providers (PaaS): Companies providing development platforms, databases-as-a-service, and middleware
• Software providers (SaaS): Companies delivering applications over the internet
• Managed service providers: Companies managing cloud infrastructure on behalf of clients

CSPs pursue ISO 27017 to demonstrate that their cloud infrastructure and operations meet internationally recognized security standards. This is increasingly a procurement requirement from enterprise customers.

Cloud Service Customers (CSCs)

Organizations that consume cloud services, including:

• Enterprises migrating to cloud: Organizations moving workloads from on-premises to cloud environments
• Regulated industries: Financial services, healthcare, and government organizations with strict security obligations
• Data-intensive businesses: Organizations processing sensitive data in cloud environments
• Multi-cloud adopters: Organizations using services from multiple cloud providers

CSCs use ISO 27017 to establish a structured approach to managing cloud security risks, evaluating provider controls, and fulfilling their side of the shared responsibility model.

When ISO 27017 is Especially Valuable

• Enterprise customers require proof of cloud-specific security controls beyond general ISO 27001
• Regulatory frameworks reference cloud security standards (e.g., financial regulators, data protection authorities)
• Your organization operates multi-tenant cloud environments where segregation is critical
• You need to demonstrate cloud security maturity to differentiate from competitors
• Cross-border data processing in cloud raises compliance questions

The 7 Additional Cloud Controls

ISO 27017 introduces seven controls not found in ISO 27002. These address cloud-specific risks that require dedicated attention:

CLD.6.3.1 — Shared Roles and Responsibilities Within a Cloud Computing Environment

This foundational control requires that the allocation of information security roles and responsibilities between the cloud service provider and the cloud service customer be clearly defined and documented. It establishes the principle that security in the cloud is a shared obligation and that ambiguity in responsibility allocation is itself a security risk.

What it requires: Documented delineation of security responsibilities, communicated clearly to all parties. This includes specifying who is responsible for each control area, who implements the control, and who verifies its effectiveness.

CLD.8.1.5 — Removal of Cloud Service Customer Assets

When a cloud service customer terminates a contract or migrates away from a provider, their data and assets must be handled securely. This control addresses the secure return or deletion of customer assets upon contract termination.

What it requires: Defined processes for returning customer data in a usable format and securely erasing all copies from provider infrastructure, including backups and replicas, within agreed timeframes.

CLD.9.5.1 — Segregation in Virtual Computing Environments

Multi-tenancy is fundamental to cloud economics but introduces risks of data leakage between tenants. This control requires that a cloud service customer's virtual environment be protected from other customers and unauthorized persons.

What it requires: Technical controls ensuring logical separation between tenants, including network segregation, compute isolation, and storage separation. The level of segregation should be commensurate with the risk assessment.

CLD.9.5.2 — Virtual Machine Hardening

Virtual machines are the building blocks of cloud infrastructure and must be secured with the same rigor as physical systems — and additional cloud-specific considerations. This control requires that virtual machines be hardened to meet business needs.

What it requires: Baseline hardening standards for virtual machines including secure images, disabled unnecessary services, patching procedures, and configuration management specific to virtualized environments.

CLD.12.1.5 — Administrator's Operational Security

Cloud administrators have privileged access that can affect many customers simultaneously. This control addresses the security of administrative operations in cloud environments.

What it requires: Documented procedures for administrative operations, privileged access management, monitoring of administrative activities, and controls to prevent unauthorized administrative actions that could impact customer environments.

CLD.12.4.5 — Monitoring of Cloud Services

Cloud environments require specialized monitoring capabilities beyond traditional infrastructure monitoring. This control requires that the cloud service customer have the capability to monitor specified aspects of the operation of cloud services.

What it requires: Monitoring capabilities provided to or accessible by customers, including service availability, performance metrics, security event logs, and capacity utilization. The CSP must define what monitoring data is available and how customers can access it.

CLD.13.1.4 — Alignment of Security Management for Virtual and Physical Networks

Virtual networking in cloud environments introduces complexities not present in traditional physical networks. This control requires that cloud computing network security management be consistent across virtual and physical networks based on the information security policy.

What it requires: Consistent security policies applied to both virtual and physical network components, including firewalls, access controls, monitoring, and segmentation. Virtual network configurations should receive the same level of change management and security review as physical network changes.

Extended Implementation Guidance for Existing Controls

Beyond the 7 new controls, ISO 27017 provides additional cloud-specific implementation guidance for many existing ISO 27002 controls. This guidance is tailored separately for CSPs and CSCs.

Key Areas with Extended Guidance

Access Control (Clause 9)

ISO 27017 extends access control guidance to address cloud-specific scenarios including:

• Access management across multi-tenant environments
• Cloud service customer identity management integration
• Privileged access to cloud management consoles and APIs
• Authentication mechanisms for cloud service access

Asset Management (Clause 8)

Cloud environments require enhanced asset management to track:

• Virtual assets (VMs, containers, serverless functions)
• Data location and jurisdictional considerations
• Cloud service inventory and dependency mapping
• Customer data classification in multi-tenant storage

Cryptography (Clause 10)

Cloud-specific cryptographic considerations include:

• Key management responsibilities between CSP and CSC
• Encryption of data at rest in shared storage environments
• Encryption of data in transit between cloud service components
• Customer-managed encryption keys vs provider-managed keys

Operations Security (Clause 12)

Extended guidance covers:

• Change management in multi-tenant environments
• Capacity management and resource allocation
• Logging and monitoring in cloud-specific contexts
• Software installation controls in virtualized environments

Communications Security (Clause 13)

Cloud-specific network security guidance addresses:

• Virtual network segmentation and micro-segmentation
• Inter-service communication security
• API security and gateway controls
• Network security between cloud and on-premises environments

Supplier Relationships (Clause 15)

This section is especially relevant for cloud contexts:

• Cloud supply chain security
• Sub-processing and nested cloud services
• Service level agreements for security controls
• Right to audit and assurance mechanisms

The Shared Responsibility Concept

The shared responsibility model is the conceptual backbone of ISO 27017. It formally establishes that security in cloud computing is not the sole responsibility of either the provider or the customer — it is a shared obligation that must be explicitly defined, documented, and managed.

Why Shared Responsibility Matters

In traditional on-premises computing, an organization controlled every layer of the technology stack from physical facilities to applications. Cloud computing fundamentally changes this by distributing control across organizational boundaries. This creates a risk of security gaps where neither party believes they are responsible for a particular control.

ISO 27017 addresses this by requiring:

• Explicit documentation: Every security control must have an identified responsible party
• Clear communication: Both parties must understand their obligations
• Regular review: Responsibility allocations must be reviewed as services and risks evolve
• Contractual alignment: Service agreements must reflect the agreed responsibility split

The Responsibility Matrix

A practical output of ISO 27017 implementation is a shared responsibility matrix. For each control area, the matrix defines:

How ISO 27017 Fits IaaS, PaaS, and SaaS

The distribution of security responsibilities shifts significantly depending on the cloud service model. ISO 27017 recognizes this and provides guidance applicable across all three models:

Infrastructure as a Service (IaaS)

In IaaS, the CSP provides the physical infrastructure, virtualization layer, and basic networking. The customer retains significant control and responsibility:

• CSP responsibilities: Physical security, hypervisor security, network infrastructure, storage hardware
• CSC responsibilities: Operating system, middleware, applications, data, access control, patching
• ISO 27017 focus: VM hardening (CLD.9.5.2), virtual network alignment (CLD.13.1.4), segregation (CLD.9.5.1)

Platform as a Service (PaaS)

In PaaS, the CSP manages the platform and underlying infrastructure. The customer focuses on applications and data:

• CSP responsibilities: All IaaS responsibilities plus OS, middleware, runtime environment
• CSC responsibilities: Applications, data, user access, application-level security
• ISO 27017 focus: Administrator security (CLD.12.1.5), monitoring (CLD.12.4.5), shared responsibilities (CLD.6.3.1)

Software as a Service (SaaS)

In SaaS, the CSP manages the entire stack. The customer controls configuration and data:

• CSP responsibilities: Everything below the application — infrastructure, platform, application security, availability
• CSC responsibilities: Data classification, user access management, configuration, data governance
• ISO 27017 focus: Asset removal (CLD.8.1.5), monitoring access (CLD.12.4.5), responsibility clarity (CLD.6.3.1)

Benefits of Implementing ISO 27017

1. Structured Cloud Risk Management

ISO 27017 provides a systematic framework for identifying and managing cloud-specific risks. Rather than relying on ad-hoc assessments, organizations gain a standardized approach aligned with international best practice. This is particularly valuable when managing risks across multiple cloud providers or migrating between providers.

2. Customer and Market Trust

Including ISO 27017 controls in your ISO 27001 certification demonstrates that your cloud security posture goes beyond generic information security. For cloud service providers, this is a meaningful differentiator in procurement evaluations where buyers specifically ask for cloud security assurance.

3. Regulatory Alignment

Many regulatory bodies and industry frameworks reference or align with ISO 27017:

• European Banking Authority (EBA) guidelines on outsourcing and cloud
• Monetary Authority of Singapore (MAS) Technology Risk Management Guidelines
• APRA CPS 234 in Australia references cloud-specific controls
• Various national data protection authorities reference ISO 27017 for cloud compliance

4. Clearer Shared Responsibility

The formal shared responsibility documentation required by ISO 27017 eliminates ambiguity. This reduces the risk of security gaps at organizational boundaries and strengthens contractual arrangements with providers or customers.

5. Enhanced Incident Response

ISO 27017 guidance on cloud-specific incident management helps organizations prepare for scenarios unique to cloud environments, including multi-tenant incidents, provider outages, and data sovereignty issues.

6. Efficient Integration with ISO 27001

Because ISO 27017 extends the existing ISO 27001 framework rather than creating a parallel system, implementation is efficient for organizations already certified to ISO 27001. The additional cloud controls integrate naturally into the existing ISMS structure.

7. Competitive Advantage for CSPs

Cloud service providers that demonstrate ISO 27017 compliance differentiate themselves in a crowded market. Enterprise customers increasingly list cloud-specific security certifications as procurement criteria, making ISO 27017 a revenue enabler.

Getting Started with ISO 27017

Prerequisites

1. ISO 27001 Foundation: You need an existing ISO 27001 ISMS (or pursue both together) since ISO 27017 controls are added to the ISO 27001 SoA
2. Cloud Service Inventory: Document all cloud services you provide or consume
3. Role Determination: Clarify whether you are a CSP, CSC, or both
4. Risk Assessment: Extend your existing risk assessment to include cloud-specific threats

Implementation Steps

1. Gap Analysis: Map current cloud security practices against ISO 27017 requirements
2. Responsibility Mapping: Create shared responsibility matrices for each cloud service
3. Control Selection: Select applicable ISO 27017 controls (all 7 additional + relevant extended guidance)
4. SoA Update: Add selected ISO 27017 controls to your ISO 27001 Statement of Applicability
5. Implementation: Implement controls, policies, and procedures
6. Documentation: Update ISMS documentation with cloud-specific procedures
7. Internal Audit: Audit cloud controls as part of your ISMS internal audit
8. Certification Audit: Include ISO 27017 scope in your ISO 27001 certification audit

Timeline Considerations

• Already ISO 27001 Certified: 2-4 months to add ISO 27017 controls
• Pursuing Both Together: 6-12 months for integrated implementation
• Complex Multi-Cloud Environments: 4-8 months for ISO 27017 addition due to responsibility mapping complexity

Frequently Asked Questions

What is ISO 27017?

ISO/IEC 27017:2015 is an international standard that provides guidelines for information security controls applicable to the provision and use of cloud services. It extends ISO 27002 with 7 additional cloud-specific controls and enhanced implementation guidance for existing controls.

Is ISO 27017 a standalone certification?

No. ISO 27017 is not independently certifiable. It is implemented as an extension to ISO 27001 by including its controls in the Statement of Applicability (SoA). Your ISO 27001 certificate then references ISO 27017 controls, demonstrating cloud-specific security assurance.

Who needs ISO 27017?

Both cloud service providers (CSPs) and cloud service customers (CSCs) benefit from ISO 27017. CSPs use it to demonstrate robust cloud security controls to customers, while CSCs use it to manage risks when consuming cloud services. It is especially valuable for organizations in regulated industries.

What are the 7 additional controls in ISO 27017?

The 7 controls are: CLD.6.3.1 (shared roles and responsibilities), CLD.8.1.5 (removal of customer assets), CLD.9.5.1 (segregation in virtual environments), CLD.9.5.2 (virtual machine hardening), CLD.12.1.5 (administrator's operational security), CLD.12.4.5 (monitoring of cloud services), and CLD.13.1.4 (alignment of virtual and physical network security).

How does ISO 27017 relate to ISO 27001 and ISO 27002?

ISO 27017 builds on ISO 27002 by providing cloud-specific implementation guidance for existing controls and adding 7 new cloud controls. It is implemented within an ISO 27001 ISMS by including these controls in the Statement of Applicability alongside standard Annex A controls. ISO 27001 is the management system; ISO 27002 is general control guidance; ISO 27017 is cloud-specific control guidance.