An In-Depth Guide to ISO 27017

A recent study by Gartner states that the total end-user spending on public cloud services was estimated to reach $591.8 billion by the end of 2023—a 20.7% surge over the last year. 

As the cloud computing landscape flourishes with new innovations, companies are increasing their investment in such technologies. However, with widespread implementation also comes increased security risk. This is why cybersecurity is a top priority for global organizations going into 2024. 

Compliance is a big component of cybersecurity and plays a crucial role in minimizing cloud security issues. Among the many security standards is ISO/IEC 27017:2015, a forerunner that deals specifically with cloud data security, cloud service providers, and cloud computing. 

In this blog, we delve deeper into ISO 27017 compliance, its scope, benefits, challenges, and more. 

What is an ISO 27017 certification?

Building on ISO 27001’s foundation, ISO 27017 is a framework that delivers targeted security guidelines designed to address the unique challenges faced by cloud service providers and their customers. 

The ISO 27017 standard covers both the implementation of Information Security Management Systems (ISMS) controls provisioned within ISO 27007 as well as detailing controls that are unique and specific to cloud environments. 

Presently, ISO 27017 has only one edition, published in 2015. A second edition is in progress, slated to be published in 2025.  

What is the scope of ISO/IEC 27017?

ISO 27017 applies to cloud service providers who have an Information Security Management System in place as per the specifications laid out in ISO 27001. The framework evaluates the effective implementation of 37 controls unders ISO/IEC 27002 which is the organization can choose based on risk assessment. It also evaluates the following seven controls that are unique and specific to cloud service providers:

• The roles and responsibilities of customers and service providers with respect to cloud computing and security
• The purge and retrieval of data on customer contract termination
• Protection and separation of the customer’s virtual environment from another’s
• The practice of machine hardening or minimizing the vulnerability surface according to business requirements
• The operational responsibilities of the role of administrator  
• The ability to enable cloud customer monitoring
• Alignment of security management for physical and virtual cloud computing environments  

Also check: How to Get ISO 27001 For Startups (Free Guide)

Who needs to implement ISO/IEC 27017?

ISO/IEC 27017, as a framework allows organizations to adopt a methodical and consistent approach to customer security by focusing thoroughly on cloud and data security. It applies specifically to cloud service providers and cloud service customers. 

ISO 27017 is comprehensive in the way it specifies what customers can expect from their cloud service providers as well as the responsibilities and obligations customers have to create and maintain a secure cloud environment. 

ISO 27017 vs ISO 27001: Key differences

Since we’ve mentioned both frameworks, it’s important to clear up the differences between these frameworks. Here are the differences between ISO 27017 and ISO 27001:

	ISO/IEC 27017	ISO/IEC 27001
Purpose and scope	It is an extension of ISO 27001 that deals with cloud security. The code of practice provides guidelines for cloud service providers (CSPs) and cloud customers.	It’s a comprehensive ISMS standard that helps organizations establish, implement, maintain, and improve their ISMS.
Applicability	It is primarily applicable to CSPs and cloud customers.	It can be applied to any organization irrespective of size, industry, or nature.
Controls	It includes 7 unique cloud security controls as well as 37 additional controls mentioned in ISO 27002.	It contains 114 controls divided into 14 domains.

7 Steps to Get ISO27017 Certified?

While ISO 27017 serves as an essential framework for companies looking to demonstrate their commitment to cloud security and stand out from competitors, it’s important to understand that ISO 27017 is not available as an independent certification.

How ISO 27017 Certification Actually Works

Unlike traditional management standards, ISO 27017 functions as a code of practice rather than a standalone certification framework. Companies cannot obtain a separate ISO 27017 certificate through independent auditing processes.

Instead, organizations can incorporate ISO 27017’s cloud-specific controls into their existing ISO 27001 certification process.

Here’s a list of cloud-specific steps that companies need to follow to adhere with the ISO 27017 framework: 

1. Determine your current state and conduct risk assessment

Conduct a thorough study of your current cloud security policies. An honest assessment of applicable cloud and security controls can help companies determine where their measures are falling short and what needs to be addressed. 

At this point, it’s important to note, in detail, all the risks that could effect the confidentiality, integrity, and availability and ownership of assets and system and determine the impact and likelihood of these risks. Thorough risk management also helps the company determine the controls within ISO/IEC 27002 that fall within the scope of the exercise. 

2. Form a team and assign responsibilities

Responsibilities are a crucial part of getting ISO certified. Create a team of security and control specialists that can help you choose the right ISO 27002 controls that are relevant to your organization and carry out the unique control requirements. Clearly define a timeline and an action plan for implementation.

3. Implement new controls 

Implement controls and security guidelines outlined in this framework. This is an ongoing effort that takes a significant bulk of time. ISO 27001 and ISO 27002 are typically deployed together, there may be a number of controls that are already implemented. The unique controls, however need to be rolled out from scratch.

4. Conduct staff training

Once controls are implemented, it’s important to educate your employees of effective management. Ensure your internal teams receive sufficient awareness and role-oriented training and updates so they can carry out their duties efficiently. Areas such as data handling, incident reporting, etc. need to be given special attention since they can impact both certifications. 

5. Document your processes

ISO 27017, like any security framework is heavy on documentation. Create SOPs and take special care to document your business processes and controls along the way. These will not only function as evidence but also as guidelines for repeat certifications. 

6. Conduct an internal audit in tandem with ISO 27001

As mentioned earlier, the ISO 27017 certification happens in tandem with ISO 27001. Therefore, it’s important to conduct a thorough internal audit that assesses both ISMS implementation as well as controls relevant to cloud services. An effective internal audit undergoes three stages of review—documentation, field review (which generates an internal audit assessment report), as well as a management review. The findings from the assessment report need to be implemented and tested before considering a formal external audit. 

7. Undergo an external audit

The first course of action is to notify the auditor of the scope of assessment to include the criteria of ISO/IEC 27017 in addition to ISO 27001. The external certification audit typically happens in two stages. The first stage entails auditing evidence of implementation and sufficiency. The auditor will also thoroughly review documentation of processes, SOPs, and practices in place as well as the systems that fall within the scope of the ISMS. The auditor then presents an assessment report of the findings which the company is required to act on.  

The second phase of the audit takes place within six months of phase one. The auditor evaluates the ISMS on a sample basis to determine if the company’s ISMS is operating within ISO standards. The audit will finally assess the corrective and preventive actions the company has taken mentioned in phase one. They then present a list of observations that highlights major and minor non-conformities as well as opportunities for improvement. Major concerns will have to be addressed, and the evidence will need to be shared with the auditor.  

Compliance is not a one-time thing. Companies are expected to monitoring their ISMS, conduct regular surveillance audits, and keep their systems updated regularly. 

Also Check: The Ultimate Beginner’s Guide To ISO 27001 Policies

Benefits of ISO 27017

ISO 27017 as a framework is designed specifically to help companies that operate largely on the cloud and focus on providing their customers with secure cloud services. The following are a few benefits of implementing the framework:

Standardized cloud security

ISO 27017 is a well-thought-out framework focused on reducing cloud-related risks and ensuring a standardized implementation of cloud-based security measures.

Complements ISMS implementation

ISO 27017 is deployed in tandem with other frameworks within the series. So implementing ISO 27017 ensures that the cloud element of operations complements the organization’s ISMS.

Brings together service providers and customers

ISO 27017 is explicit in the way it defines security roles and responsibilities for customers as well as service providers to ensure a high standard of protection. 

Sustained approach to strategy

Implementing ISO 27017 ensures a long-term approach to data security strategy. The standards helps organizations stand out from the competition and enable sustained development. 

Reduced reputational risk

Companies that are ISO 27017 certified are able to greatly mitigate the risk related to data breaches. They are also able to enable better transparency of their cloud operations and build customer trust and strong business relationships. 

Challenges of implementing ISO/IEC 27017

As with every framework, implementing ISO 27017 can have some challenges. The following are some of the most common challenges companies may face while doing so:

Changing landscape

The nature of cloud computing is constantly changing. And so, sufficiently interpreting requirements and keeping up to date with the latest threat landscape. 

Service provider inconsistency

ISO 27017 heavily hinges on how effectively cloud service providers implement controls and requirements. Customers may face risk exposure if cloud service providers do not consistently apply the standard.

Increased complexity

Since this framework does not have an independent certification, companies will want to deploy it along with complementary standards. But implementing this standard and integrating it with other standards is not straightforward. 

List of ISO 27017 unique controls

ISO/IEC 27017 introduces seven additional controls specific to cloud security, supplementing the ISO 27001 Annex A controls. These are:

1. CLD.6.3.1: Shared roles and responsibilities within a cloud computing environment–Defines security responsibilities between Cloud Service Providers (CSPs) and the customer.
2. CLD.8.1.5: Removal of cloud service customer assets–Ensures secure removal of customer assets from cloud systems.
3. CLD.9.5.1: Segregation in virtual computing environments–Requires isolation of customer data in virtualized cloud environments.
4. CLD.9.5.2: Virtual machine hardening–Mandates secure configuration of virtual machines to reduce vulnerabilities.
5. CLD.12.1.5: Administrator’s operational security–Specifies security practices for administrative operations in cloud systems.
6. CLD.12.4.5: Monitoring of cloud services–Requires monitoring and logging of cloud activities for security oversight.
7. CLD.15.1.3: Alignment of security management for virtual and physical networks–Ensures consistent security across virtual and physical cloud infrastructure.

What standards can ISO 27017 be integrated with? 

ISO 27017 doesn’t operate in isolation, it’s designed to work alongside and enhance existing standards such as:

ISO/IEC 27001 – Information Security Management Systems (ISMS)

ISO 27017 extends ISO 27001’s foundational management framework by adding cloud-specific controls. While ISO 27001 provides policies, risk assessment, and governance structures, ISO 27017 addresses the unique challenges of shared responsibility in cloud environments.

ISO/IEC 27002 – Code of Practice for Information Security Controls

Building on ISO 27002’s implementation guidance, ISO 27017 tailors traditional security controls specifically for cloud service providers and customers, ensuring established best practices remain effective in cloud computing scenarios.

Cloud Security Alliance (CSA) – Cloud Controls Matrix (CCM)

ISO 27017 aligns closely with CSA’s Cloud Controls Matrix, enabling organizations to map controls between frameworks. This compatibility helps meet diverse customer and regulatory expectations while maintaining consistent cloud security implementations.

NIST Frameworks

ISO 27017 complements NIST SP 800-53 and the NIST Cybersecurity Framework through significant control overlap. Organizations can implement harmonized approaches that satisfy multiple compliance requirements simultaneously.

GDPR – General Data Protection Regulation

Though GDPR is a legal regulation, ISO 27017 supports compliance by addressing data protection in cloud environments, clarifying processor/controller roles, and providing technical measures required under Article 32’s security of processing provisions.

Get ISO 27017 certified with Sprinto

ISO/IEC 27017 is a less complex framework to implement. However, it can be an incredibly important framework for companies that operate largely on the cloud. With the occurrence of data breaches at an all-time high, companies are under immense pressure to protect data as well as provide their customers with a safe and secure cloud service. And although the framework is simpler to implement, it can pose challenges that can prove cumbersome.   

Sprinto is a compliance automation platform that enables organizations to become ISO 27017 compliant without any of the manual work. The platform provides customized guidance and reduces the time to get audit ready by mapping requirements to controls, automating surveillance and checks, and gathering evidence of compliance. In short, it makes quick work of complex requirements and ensures you’re focused on the things that matter. 

Ready to get started? Speak to our experts today. 

Frequently Asked Questions 

What is the difference between ISO 27001 and ISO 27017?

ISO 27001 is a general standard for managing information security through an Information Security Management System (ISMS), applicable to all types of organizations. ISO 27017, on the other hand, is a complementary standard that provides specific guidelines for cloud security, addressing additional controls and responsibilities for both cloud service providers and customers.

What are the domains that ISO/IEC 27017:2015 covers?

ISO/IEC 27017:2015 standard covers key topics such as asset ownership, data segregation, safe storage, disposal of assets post contract termination, alignment of customer and service provider roles, etc. among many others.  

What is the difference between ISO 27017 and ISO 27018?

Broadly, the ISO 27017 certification offers guidelines on cloud security and data protection whereas an ISO 27018 certification offers cloud service providers and data controllers guidelines on selecting and implementing data security controls. 

Is ISO 27017 part of ISO 27001?

ISO 27017 is a security framework that complements ISO 27001. While ISO 27001 provides guidelines for creating, implementing, and maintaining an ISMS, ISO 27017 offers implemenetation guidelines that apply to cloud security in particular. ISO 27017 is typically deployed as a complementary framework to ISO 27001 and ISO 27002.