ISO/IEC 27017.
Security built for the cloud.

The international code of practice for cloud security controls. It extends ISO 27001 with the cloud-specific guidance enterprise buyers now expect from SaaS and cloud-hosted businesses.

The standard.

ISO/IEC 27017 is the international code of practice for information security controls for cloud services. It builds directly on ISO/IEC 27001 and 27002, adding cloud-specific guidance for both cloud service providers and the customers who consume them. It is certified as an extension to an ISO 27001 ISMS rather than as a wholly standalone scheme.

What it adds.

Seven cloud-specific controls plus implementation guidance on roughly 37 existing ones. It covers shared responsibility between provider and customer, virtual machine hardening, admin operations security, segregation in virtual environments, monitoring of cloud services, and alignment of security across the cloud supply chain.

Who needs it.

SaaS companies, anyone running significant workloads on AWS, Azure or GCP, cloud service providers, and organisations whose enterprise customers demand proof of cloud-specific controls beyond plain ISO 27001. Normally pursued alongside or just after ISO 27001 certification.

Key benefits.

01

Win enterprise deals

Answer the cloud-security questions in due diligence before they are even asked.

02

Clarify responsibility

A documented shared-responsibility model with your cloud provider, line by line.

03

Harden your estate

VM hardening, segregation and admin controls applied across AWS, Azure or GCP.

04

Extend ISO 27001

A natural bolt-on to your existing ISMS, certified through the same audit.

Scope. Map. Implement. Certify.

1

Scope your cloud estate

Weeks 1-2. Map every cloud service, provider and workload in scope of the ISMS.

2

Map the controls

Weeks 3-4. Apply the seven cloud controls and the implementation guidance to your existing Statement of Applicability.

3

Implement & harden

Weeks 5-8. Shared-responsibility model, VM hardening, segregation, monitoring and admin operations security.

4

Audit & certify

Weeks 9-12. Certified alongside your ISO 27001 ISMS by an accredited certification body.

  • Cloud scoping report.Every cloud service, provider and workload in scope, mapped.
  • Shared-responsibility matrix.Provider versus customer obligations, documented per control.
  • Updated Statement of Applicability.The seven cloud controls folded into your existing ISO 27001 SoA.
  • Hardening & segregation baselines.VM hardening, virtual-environment segregation and admin operations security.
  • Evidence pack.Documented proof of each cloud control, ready for auditor review.
  • Surveillance plan.Ongoing monitoring of cloud services and supply-chain alignment for annual audits.

Aligned to the standards that matter.

  • ISO/IEC 27017
  • ISO/IEC 27001
  • ISO/IEC 27002
  • CSA STAR
  • NIST CSF

Frequently asked.

Can we certify ISO 27017 on its own?

Not in the same way as a standalone scheme. ISO 27017 is a code of practice that is certified as an extension to an ISO 27001 ISMS. You need ISO 27001 in place, or running in parallel, for the certificate to mean anything.

How is it different from ISO 27001?

ISO 27001 is the management system covering information security across the whole organisation. ISO 27017 adds seven cloud-specific controls and implementation guidance on roughly 37 existing ones, so your cloud estate is governed to a recognised standard rather than generically.

Who actually asks for it?

Increasingly, enterprise buyers in their due-diligence questionnaires. SaaS companies and any business running significant workloads on AWS, Azure or GCP find it shortcuts the cloud-security section of procurement and vendor reviews.

What about the shared-responsibility model?

It is central to the standard. ISO 27017 forces you to document, control by control, what your cloud provider is responsible for and what remains your obligation. We produce that matrix as a core deliverable so there are no grey areas.

How long does it take?

Typically 10-12 weeks when bolted onto an existing ISO 27001 ISMS. If you are building both at once, it folds into the wider 27001 timeline rather than adding a separate project.

Make compliance
feel inevitable.

Book a free consultation