ISO/IEC 27017 - Security Controls for Cloud Services

Table of Contents

Secure Your Cloud, Build Customer Trust

Cloud computing has transformed how organizations deliver and consume IT services, offering scalability, flexibility, and cost-efficiency. However, the cloud also introduces unique security challenges that require specialized controls and expertise. At Glocert International, we specialize in providing independent third-party ISO/IEC 27017 certification that validates your organization's cloud security controls. As a leader in the Testing, Inspection, and Certification industry, we conduct thorough ISO 27017 audits that verify your cloud security implementation meets international standards, helping you demonstrate security excellence and build trust with cloud customers and stakeholders.

What is ISO/IEC 27017?

ISO/IEC 27017:2015 is the international standard providing guidance on information security controls applicable to the provision and use of cloud services. It is based on ISO/IEC 27002 (Code of Practice for Information Security Controls) and provides additional implementation guidance for cloud-specific controls referenced in ISO/IEC 27002, as well as additional controls specifically for cloud services.

The standard addresses security from both perspectives: cloud service providers (CSPs) and cloud service customers (CSCs). ISO/IEC 27017 supplements the ISO 27001 Information Security Management System (ISMS) and provides cloud-specific security control guidance for IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) environments.

Key Components of ISO/IEC 27017

  • ISO 27002 Cloud Guidance: Additional implementation guidance for cloud-relevant ISO 27002 controls
  • Cloud-Specific Controls: Seven new controls specifically for cloud computing environments
  • Shared Responsibility Model: Guidance on responsibilities between cloud providers and customers
  • Cloud Service Categories: Applicable to IaaS, PaaS, and SaaS models
  • Data Security: Controls for protecting data in multi-tenant cloud environments
  • Virtualization Security: Controls for securing virtualized infrastructure
  • Cloud Service Agreement: Security requirements for cloud service level agreements

Why is ISO/IEC 27017 Important?

ISO/IEC 27017 is essential for organizations providing or using cloud services seeking to address cloud-specific security risks. Here's why this standard is crucial:

1. Cloud-Specific Security Challenges

ISO/IEC 27017 addresses unique cloud security challenges including:

  • Multi-tenancy and data segregation in shared environments
  • Virtualization security and hypervisor protection
  • Data location and sovereignty concerns
  • Cloud service supply chain security
  • Secure data deletion and asset disposal in cloud
  • Cloud service monitoring and logging

2. Shared Responsibility Clarity

Implementing ISO/IEC 27017 enables organizations to:

  • Clearly define security responsibilities between provider and customer
  • Understand which security controls are managed by whom
  • Establish appropriate cloud service agreements
  • Reduce security gaps and misunderstandings

3. Customer Confidence

ISO/IEC 27017 provides a framework for:

  • Demonstrating cloud security competence to customers
  • Building trust in cloud service offerings
  • Meeting customer due diligence requirements
  • Differentiating services in competitive cloud market

4. Regulatory Compliance

ISO/IEC 27017 certification helps organizations meet regulatory requirements for cloud security including GDPR, HIPAA, PCI DSS, and other data protection regulations requiring appropriate security controls for cloud-processed data.

ISO/IEC 27017 Cloud Security Controls

ISO/IEC 27017 provides comprehensive cloud security controls organized into categories:

Cloud-Specific Controls (New Controls)

Shared Responsibility

Allocation of responsibilities between CSP and CSC

Asset Removal

Procedures for secure removal of customer assets

Customer Data Protection

Protection and segregation of customer data

Virtual Machine Hardening

Security hardening of virtual machine configurations

Administrative Operations

Security of cloud administrative operations and tools

Customer Monitoring

Activities monitoring in cloud environments

Virtual Environment Alignment

Alignment of virtual and physical network security

Key Control Areas

  • Information Security Policies: Cloud-specific security policy requirements
  • Organization of Information Security: Roles and responsibilities in cloud
  • Human Resource Security: Security requirements for cloud personnel
  • Asset Management: Managing assets in cloud environments
  • Access Control: Identity and access management in cloud
  • Cryptography: Encryption and key management in cloud
  • Physical and Environmental Security: Data center security for cloud
  • Operations Security: Secure cloud operations and change management
  • Communications Security: Network security in cloud environments
  • System Acquisition: Security in cloud service development and deployment
  • Supplier Relationships: Cloud supply chain security
  • Incident Management: Security incident response in cloud
  • Business Continuity: Ensuring cloud service availability and resilience
  • Compliance: Legal and regulatory compliance for cloud services

Benefits of ISO/IEC 27017 Certification

Achieving ISO/IEC 27017 certification provides organizations with numerous strategic, operational, and commercial benefits:

Enhanced Cloud Security

Implement comprehensive security controls specifically designed for cloud environments.

Customer Confidence

Build trust with customers by demonstrating cloud security competence and commitment.

Competitive Advantage

Differentiate cloud services with internationally recognized security certification.

Clarity on Responsibilities

Clear definition of security responsibilities between providers and customers.

Regulatory Compliance

Support compliance with GDPR, HIPAA, PCI DSS, and other regulations.

Risk Reduction

Minimize cloud-specific security risks through systematic controls.

Due Diligence Assurance

Provide assurance to customers conducting cloud security due diligence.

Global Recognition

Gain internationally recognized certification accepted worldwide.

Our ISO/IEC 27017 Certification Process

At Glocert International, we follow a structured and systematic approach to conduct ISO/IEC 27017 certification audits. Our audit process is designed to be transparent, efficient, and supportive, verifying that your cloud security controls meet all ISO/IEC 27017 requirements:

1

Application Process

Submit your application with required documentation. We review your organization's scope and readiness for certification.

2

Initial Audit (Stage 1)

Documentation review and readiness assessment. Our auditors verify that your cloud security documentation meets ISO/IEC 27017 requirements.

3

Initial Audit (Stage 2)

On-site/remote audit to verify cloud security control implementation and effectiveness.

4

Technical Review

Independent review of audit findings by our technical committee to ensure accuracy and compliance.

5

Decision and Approval

Certification decision based on audit findings. Upon successful completion, certification is approved.

6

Certification Issuance

Receive your ISO/IEC 27017 certificate, valid for three years, with international recognition.

7

Surveillance Audits

Annual surveillance audits to ensure continued compliance and effectiveness of cloud security controls.

8

Re-certification Audit

Comprehensive audit before certificate expiry to renew certification for another three-year period.

Learn More About Our ISO/IEC 27017 Certification Process

Steps in Obtaining ISO/IEC 27017 Certification

While obtaining ISO/IEC 27017 certification may seem daunting, following a structured approach makes the process manageable. Here's the path your organization should take:

  1. ISO 27001 ISMS Implementation: Establish a foundational ISO 27001 Information Security Management System as ISO/IEC 27017 is typically implemented in conjunction with ISO 27001.
  2. Gap Analysis and Readiness Assessment: Assess your current cloud security controls against ISO/IEC 27017 requirements to identify gaps. (Note: This should be conducted by an independent consultant, as certification bodies cannot provide consultation services.)
  3. Define Cloud Service Scope: Clearly identify cloud services in scope (IaaS, PaaS, SaaS) and whether you're a CSP, CSC, or both.
  4. Map Shared Responsibilities: Document security responsibilities between cloud provider and customer based on service model.
  5. Cloud Risk Assessment: Conduct cloud-specific risk assessment covering multi-tenancy, virtualization, data location, and cloud-specific threats.
  6. Implement Cloud Security Controls: Implement ISO/IEC 27017 cloud security controls including the seven cloud-specific controls and cloud guidance for ISO 27002 controls.
  7. Cloud Service Agreements: Establish or review cloud service level agreements ensuring security requirements are documented.
  8. Virtualization Security: Implement controls for virtual machine security, hypervisor protection, and virtual network segregation.
  9. Data Protection in Cloud: Implement encryption, data segregation, secure data deletion, and data location controls.
  10. Cloud Monitoring and Logging: Establish comprehensive monitoring and logging for cloud environments.
  11. Documentation: Create comprehensive documentation including cloud security policies, procedures, and control implementation evidence.
  12. Training and Awareness: Train personnel on cloud security controls and their responsibilities.
  13. Internal Audit and Management Review: Conduct internal audits to verify effectiveness and hold management reviews.
  14. Pre-assessment Audit (Optional): Consider a pre-assessment audit to identify any remaining issues before the formal certification audit.
  15. Final Assessment and Certification: Undergo the formal certification audit (Stage 1 and Stage 2) conducted by Glocert International's accredited auditors.
  16. Surveillance Audits and Recertification: Maintain certification through annual surveillance audits and prepare for recertification every three years.

Typical Timeline: The certification process typically takes 4-8 months from application to certificate issuance (assuming ISO 27001 is already implemented), depending on your organization's cloud service complexity and current security maturity level.

ISO/IEC 27017 Certification Pricing

Our ISO/IEC 27017 certification pricing is transparent and based on your organization's size, cloud service complexity, and scope. We offer competitive rates with no hidden fees. Contact us for a customized quote tailored to your specific needs.

Request a Quote

Get a personalized estimate based on your organization's size, cloud service model, and security requirements.

Contact Us for Pricing

What's Included in ISO/IEC 27017 Certification Pricing:

  • Documentation review and cloud security control assessment
  • Stage 1 and Stage 2 audit days (calculated per IAF MD 5)
  • Technical review and certification decision
  • ISO/IEC 27017 certificate (valid 3 years)
  • Certificate listing on our public register
  • First year surveillance audit
  • Ongoing audit services and support

Note: ISO/IEC 27017 pricing may vary based on cloud service complexity, number of cloud services, deployment model, and additional services. Small organizations typically start from $4,500, medium organizations from $7,500. ISO/IEC 27017 is typically audited in conjunction with ISO 27001. Contact us for a detailed, no-obligation quote.

Frequently Asked Questions (FAQ)

Find answers to common questions about ISO/IEC 27017 certification:

What is ISO/IEC 27017 and why do I need it?

ISO/IEC 27017 is the international standard for cloud security controls. You need it to address cloud-specific security risks, demonstrate cloud security competence to customers, clearly define security responsibilities between cloud providers and customers, meet regulatory requirements for cloud security, and differentiate your cloud services with internationally recognized security certification.

How does ISO/IEC 27017 relate to ISO 27001?

ISO/IEC 27017 builds upon ISO 27001. While ISO 27001 provides the framework for an Information Security Management System (ISMS), ISO/IEC 27017 provides additional cloud-specific security control guidance. Organizations typically implement ISO/IEC 27017 in conjunction with ISO 27001, adding cloud-specific controls to their existing ISMS. ISO/IEC 27017 is based on ISO 27002 (the code of practice for information security controls) and provides cloud-specific implementation guidance.

How long does ISO/IEC 27017 certification take?

The timeline varies based on your cloud service complexity and current security maturity. If you already have ISO 27001 certification, the ISO/IEC 27017 certification process typically takes 4-8 months from application to certificate issuance. Without ISO 27001, you'll need to implement both standards, which typically takes 6-12 months total.

Who should get ISO/IEC 27017 certified - cloud providers or customers?

Both cloud service providers (CSPs) and cloud service customers (CSCs) can benefit from ISO/IEC 27017 certification. Cloud providers can demonstrate their security capabilities to customers, while organizations using cloud services can show they've implemented appropriate controls for managing cloud security risks. The standard addresses responsibilities and controls for both perspectives.

What are the seven cloud-specific controls in ISO/IEC 27017?

The seven cloud-specific controls are: 1) Shared roles and responsibilities between CSP and CSC, 2) Removal/return of assets when customer leaves, 3) Protection and separation of customer's virtual environment, 4) Virtual machine configuration hardening, 5) Administrator operational security for cloud, 6) Monitoring activities within cloud, and 7) Virtual and cloud network environment alignment. These controls address unique cloud security challenges not fully covered by traditional ISO 27002 controls.

How much does ISO/IEC 27017 certification cost?

ISO/IEC 27017 certification costs vary based on organization size, cloud service complexity, and deployment model. Small organizations typically start from $4,500, medium organizations from $7,500. Since ISO/IEC 27017 is typically audited alongside ISO 27001, costs are often combined. Contact us for a detailed quote tailored to your organization and cloud services.

Does ISO/IEC 27017 apply to IaaS, PaaS, and SaaS?

Yes, ISO/IEC 27017 applies to all cloud service models - Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). The standard provides guidance on which controls are relevant for each service model and clarifies the shared responsibility between provider and customer in each scenario. The applicability of specific controls varies based on the service model.

What is the shared responsibility model in cloud security?

The shared responsibility model defines which security controls are managed by the cloud service provider and which are the customer's responsibility. For example, in IaaS, the provider secures physical infrastructure while the customer secures operating systems and applications. ISO/IEC 27017 provides clear guidance on this division of responsibilities, helping both parties understand their security obligations.

What happens after I get certified?

After certification, your ISO/IEC 27017 certificate is valid for three years. You'll undergo annual surveillance audits to ensure continued compliance with cloud security controls. You must continue operating and improving your cloud security controls, monitoring cloud environments, updating controls as cloud services evolve, and demonstrating continuous improvement. During the third year, you'll complete a recertification audit to renew your certificate.

Can ISO/IEC 27017 help with GDPR compliance?

Yes, ISO/IEC 27017 supports GDPR compliance by providing controls for protecting personal data in cloud environments. The standard addresses data security, data location, data deletion, and access controls - all relevant to GDPR requirements. Many organizations combine ISO 27001, ISO/IEC 27701 (Privacy), and ISO/IEC 27017 (Cloud Security) for comprehensive data protection in cloud environments.

How does ISO/IEC 27017 differ from SOC 2?

ISO/IEC 27017 is an international standard with specific cloud security control requirements, while SOC 2 is a US-based reporting framework. ISO/IEC 27017 is a certification (pass/fail), whereas SOC 2 is an audit report describing controls. Both address cloud security but from different perspectives. Many cloud providers pursue both certifications to meet diverse customer requirements - ISO/IEC 27017 for international customers and SOC 2 for US customers.

Why Choose Glocert for ISO/IEC 27017 Certification?

Accreditations

Glocert International is a globally accredited Conformity Assessment Body for ISO/IEC 17021-1:2015 by IAS Inc, USA, a member of the IAF (International Accreditation Forum) and signatory to a number of bilateral, regional and international agreements.

This provides international recognition and acceptance to certificates issued by Glocert International in the following schemes:

  • ISO 9001 – Quality Management Systems (QMS)
  • ISO 20000-1 – Information Technology Service Management Systems (ITSMS)
  • ISO 22301 – Business Continuity Management Systems (BCMS)
  • ISO 27001 – Information Security Management Systems (ISMS)
  • ISO/IEC 27701 – Privacy Information Management Systems (PIMS)
  • ISO 55001 – Asset Management Systems (AMS)
IAS Inc USA Accreditation - ISO/IEC 27017 Cloud Security Controls Certification Body

Expertise in Cloud Security Auditing

Our team of experienced auditors possess in-depth knowledge of ISO/IEC 27017, cloud computing security, and industry best practices across IaaS, PaaS, and SaaS models. We understand that every organization's cloud journey is unique, which is why we conduct thorough ISO/IEC 27017 certification audits that assess your specific cloud security requirements, service models, and compliance with cloud security control requirements.

Continuous Audit Support

Beyond ISO/IEC 27017 certification, we provide ongoing audit services through surveillance audits to help you maintain compliance and demonstrate continuous improvement of your cloud security controls. We pride ourselves in providing the highest standard of audit services in the industry and it is a major reason why more and more organisations choose us as their certification partner for their ISO/IEC 27017 certification needs.

Related Certifications

Many organizations combine ISO/IEC 27017 with other certifications for comprehensive security governance. Consider pairing ISO/IEC 27017 with ISO 27001 for information security management (required foundation), ISO/IEC 27701 for privacy management, or ISO/IEC 27018 for personal data protection in cloud to create a comprehensive cloud security framework.

Unlock the Full Potential of Your Organization

Contact us today to learn more about our ISO/IEC 27017 certification and audit services and how we can verify your organization's cloud security controls.
Request a Quote
Cutting-Edge Solutions

Choose Glocert for innovative TIC solutions at the forefront of modern technology

Compliance Leaders

Rely on Glocert as the cornerstone of your ever-lasting compliance journey

Global Expertise, Local Insight

Count on Glocert for solutions that blend global expertise with localized precision

Reliability Redefined

Experience peace of mind with Glocert - where reliability meets excellence