What is ISO 27017?
An international code of practice that extends ISO 27001/27002 with cloud-specific controls, clarifying provider and customer responsibilities.
Definition
ISO/IEC 27017 is an international code of practice that provides cloud-specific information security guidance, building on the controls in ISO/IEC 27002. It adds cloud-oriented implementation guidance plus additional controls that address the shared responsibilities between cloud service providers and their customers.
ISO 27017 isn’t certified on its own; it’s implemented alongside an ISO 27001 ISMS, and auditors can include it within the ISO 27001 certification scope. It’s a strong signal for providers and customers who want clarity on who secures what in the cloud.
What ISO 27017 adds
Shared responsibility
A clear split of security duties between provider and customer.
Cloud asset management
Return and removal of assets when a contract ends.
Virtualisation security
Segregation within shared and virtual environments.
Administrator operations
Monitoring of privileged cloud operations.
Customer monitoring
Visibility into relevant cloud activity for customers.
Who needs to comply?
ISO 27017 suits cloud service providers and cloud-consuming organisations that already run (or plan) an ISO 27001 ISMS and want to demonstrate cloud-specific security maturity.
How ISpectra helps
ISpectra extends your ISO 27001 ISMS with the ISO 27017 controls, documents shared-responsibility boundaries, and prepares the combined scope for audit.
Talk to an advisor