Cloud Compliance - ISO 27017
Jessica Doering

November 16, 2022



 min reading time

Cloud Security - ISO 27017 under ISO 27001

Let's start unusually dry with the official ISO wording of another family member of the ISO 27k series: ISO 27017

ISO/IEC 27017:2015 provides guidance on information security controls for the provision and use of cloud services:

-  Additional implementation guidance for relevant controls specified in ISO/IEC 27002

-  Additional controls with implementation guidance specific to cloud services.

If you have already read our blogs on ISO 27002 and ISO 27005, you will notice that all family members contribute to the household income in some way. ISO 27017 is no exception. This standard also deals with a part that is specific to it only and goes into ISO 27001. Wait, but first in ISO 27002, which in turn feeds into ISO 27001, okay…  

Does ISO 27001 become the grandmother if ISO 27002 also has a child? Well, ISO 27001 remains the non plus ultra, the Clan Chief! So let's see who pays into where and to what extent ISO 27017 might be the favorite grandchild. Which, of course, it clearly is NOT. We love you all the same. For sure ya ya... Let's go. 

What is ISO 27017?

A little more definition: Keyword CLOUD! ISO 27017 lives rent free in ISO 27002, but is responsible for the information security controls that deal with the provision and use of cloud services!  

This standard provides a guide to best practices for managing information security. It is derived from ISO 27002 and suggests additional cloud security controls that were not fully defined in ISO 27002.

So ISO 27017 is an information security framework for organizations using cloud services. Cloud service providers should follow this standard because it provides greater security to their cloud service customers through a consistent and comprehensive approach to information security.

So who exactly is the nerdy child of ISO 27002 addressing? 

Who is ISO 27017 for?

ISO 27017 is for organizations that provide services in the cloud computing environment and have an ISMS (Information Security Management System). Secfix is happy to help you with this, by the way. 

ISO 27017 is becoming a mandatory requirement for certain large-scale and government projects. This is because such organizations will only work with companies that can demonstrate a systematic commitment to risk mitigation.

If you are seeking ISO 27001 certification, the granddaughter (ISO 27017) will be addressed anyway if you manage information and data in the cloud. 

It's important to remember that legal, regulatory or other cloud-specific information security requirements will influence the selection of appropriate information security controls when implementing the framework. The same applies to contractual requirements!

The structure of ISO 27017 - how does it work? 

ISO 27017 is structured around the same clauses as ISO 27002, with each clause addressing a specific aspect of information security. As mentioned earlier, the annex to the standard provides additional controls and guidance for implementing specific security controls.Something that is not made clear in a specified way in ISO 27002 (Vulnerability Management). 

Therefore, ISO 27017 defines the security management direction for cloud computing, virtual and physical networks. So ISO 27017 takes all the required protections and threat-based analysis for online security and applies them directly to cloud security, with information security controls applicable to the framework.

Thus, ISO 27017 complements its parent framework, ISO 27002, for cloud computing environments by providing additional information, security measures and implementation guidance. 

Impressive to mention, especially when choosing a Christmas gift for ISO 27001's presumed favorite grandchild: 

After all, this grandchild provides implementation guidance for 37 information security controls from ISO 27001, as well as seven additional requirements specific to cloud services. We'll be taking a closer look at its little sister ISO 27018 soon, but ISO 27017 seems to have always been on the fast track in schools.

These cloud controls address the following best practices: 

  • Who is actually responsible for what in the relationship between the cloud service provider and the cloud customer?
  • Removal/return of assets upon termination of a contract. 
  • Protection and segregation of the customer's virtual environment.
  • Configuration of virtual machines.
  • Management operations and procedures related to the cloud environment that allow the customer to monitor relevant activities.
  • Monitoring of the cloud customer's activities within the cloud.
  • Customization of the virtual and cloud network environments.
  • Information security controls based on the ISO 27001 standard and the ISO 27017 framework.

In this way, cloud users and providers can now address basic information security requirements by selecting appropriate controls and implementation guidance based on cloud service risk assessments.

Why implement ISO 27017 and what are the benefits

Why should you implement ISO 27017

  • Protect your information assets in the cloud computing environment
  • Meet legal and regulatory requirements
  • Mitigate the risk of information security incidents
  • Reduce costs by eliminating duplicate controls

This is a way for any company to demonstrate their commitment to protecting customer data. Certification sets you apart from your competitors and makes your customers feel good. It demonstrates your knowledge and expertise in this important area.

It is important that customers have confidence in the security of their information and data in the cloud. ISO27017 is globally recognized, as is the entire ISO 27k family. This effectively reduces the risk of data breaches. And it also demonstrates a dedication to information security techniques, which builds trust with the clientele.  

And there are other advantages that you should not miss! 

The benefits of ISO 27017

  • Protect your information assets in the cloud computing environment
  • Meet legal and regulatory requirements
  • Mitigate the risk of information security incidents
  • Reduce costs by eliminating duplicate controls

Okay, so if you are working within the cloud, then ISO 27017 plays a special role. Can one actually only be certified according to ISO 27017? Doesn't that cover everything you do in the cloud? And actually, you are only "up in the cloud" with the product, the data and the information anyway.... So why still ISO 27001?  

Since ISO 27017 is not an information management system standard, unlike ISO 27001, you cannot get certified to this standard. Yes, a pity you think at first. But a nice certificate for ISO 27017 on the popular office wall (mostly decorated with landscape and pet snapshots) can still be there! 

However, you can get certified to ISO 27017 as part of an ISO 27001 certification process.

In order to do so, you must include the specific controls in ISO 27017 in the scope of the ISO 27001 certification audit.

And with this expansion of the scope of ISO 27001 to include the controls in ISO 27017, they can get independently verified certification. Not only does this make the office wall look more professional right away, they also demonstrate compliance with this standard. The above-it-all ISO 27001 certificate hangs in the boss's office, of course! A bit of swagger is absolutely fine - because ISO 27001 certification is a game changer. 

Summary: ISO 27017 is based on the ISO 27001 standard and the ISO 27002 framework, and implementation of ISO 27017 demonstrates that your organization has established best practices for protecting against cloud-related threats to both cloud service providers and cloud service customers. ISO 27017 therefore complements the requirements of the ISO 27002 framework, but does not replace them.

Focus on building Security and run Compliance in the background

Secfix has the largest partner network of pentesting companies and auditors in EU and can reduce the time, effort and cost for an ISO 27001 certification with its software.

non-binding and free of charge

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet and is especially open-minded for any future-oriented inspiring humans and things that cross her path.

ISO 27001