Win enterprise deals
Answer the cloud-security questions in due diligence before they are even asked.
The international code of practice for cloud security controls. It extends ISO 27001 with the cloud-specific guidance enterprise buyers now expect from SaaS and cloud-hosted businesses.
ISO/IEC 27017 is the international code of practice for information security controls for cloud services. It builds directly on ISO/IEC 27001 and 27002, adding cloud-specific guidance for both cloud service providers and the customers who consume them. It is certified as an extension to an ISO 27001 ISMS rather than as a wholly standalone scheme.
Seven cloud-specific controls plus implementation guidance on roughly 37 existing ones. It covers shared responsibility between provider and customer, virtual machine hardening, admin operations security, segregation in virtual environments, monitoring of cloud services, and alignment of security across the cloud supply chain.
SaaS companies, anyone running significant workloads on AWS, Azure or GCP, cloud service providers, and organisations whose enterprise customers demand proof of cloud-specific controls beyond plain ISO 27001. Normally pursued alongside or just after ISO 27001 certification.
Answer the cloud-security questions in due diligence before they are even asked.
A documented shared-responsibility model with your cloud provider, line by line.
VM hardening, segregation and admin controls applied across AWS, Azure or GCP.
A natural bolt-on to your existing ISMS, certified through the same audit.
Weeks 1-2. Map every cloud service, provider and workload in scope of the ISMS.
Weeks 3-4. Apply the seven cloud controls and the implementation guidance to your existing Statement of Applicability.
Weeks 5-8. Shared-responsibility model, VM hardening, segregation, monitoring and admin operations security.
Weeks 9-12. Certified alongside your ISO 27001 ISMS by an accredited certification body.
Not in the same way as a standalone scheme. ISO 27017 is a code of practice that is certified as an extension to an ISO 27001 ISMS. You need ISO 27001 in place, or running in parallel, for the certificate to mean anything.
ISO 27001 is the management system covering information security across the whole organisation. ISO 27017 adds seven cloud-specific controls and implementation guidance on roughly 37 existing ones, so your cloud estate is governed to a recognised standard rather than generically.
Increasingly, enterprise buyers in their due-diligence questionnaires. SaaS companies and any business running significant workloads on AWS, Azure or GCP find it shortcuts the cloud-security section of procurement and vendor reviews.
It is central to the standard. ISO 27017 forces you to document, control by control, what your cloud provider is responsible for and what remains your obligation. We produce that matrix as a core deliverable so there are no grey areas.
Typically 10-12 weeks when bolted onto an existing ISO 27001 ISMS. If you are building both at once, it folds into the wider 27001 timeline rather than adding a separate project.