Topic Hub

ISO 27017 Cloud Security Controls Resources

Everything you need to understand and implement ISO/IEC 27017 cloud security controls. Comprehensive guides on cloud-specific controls, shared responsibility between CSPs and customers, certification as an ISO 27001 extension, readiness checklists, and compliance comparisons with SOC 2 and CSA STAR.

Get ISO 27017 Certified

Quick Navigation

What is ISO/IEC 27017?

ISO/IEC 27017 is an international code of practice that provides information security controls and implementation guidance specifically for cloud services. Published as a companion to ISO/IEC 27002, it addresses the unique security challenges of cloud computing by adding cloud-specific controls and tailoring existing controls for cloud environments.

The standard applies to both cloud service providers (CSPs) and cloud service customers, defining a shared-responsibility model where each party's security obligations are clearly delineated. Organisations typically implement ISO 27017 as an extension to their existing ISO 27001 ISMS, adding the cloud controls to their Statement of Applicability.

  • Extends ISO 27002 with 7 additional cloud-specific controls plus cloud implementation guidance for 37 existing controls
  • Defines shared responsibility between cloud service providers and cloud service customers
  • Certified as an extension to ISO 27001 — not a standalone certification
  • Covers IaaS, PaaS, and SaaS service models with tailored control sets
  • Addresses virtual machine security, tenant isolation, cloud data segregation, and service administration
  • Increasingly required by enterprise buyers and government procurement for cloud services
6
ISO 27017 Resources
7
Additional Cloud Controls
37
Extended ISO 27002 Controls
3yr
Certification Cycle

ISO 27017 Resources

Loading resources...