ISpectra Technologies
Cloud Security · Code of Practice

What is ISO 27017?

An international code of practice that extends ISO 27001/27002 with cloud-specific controls, clarifying provider and customer responsibilities.

Definition

ISO/IEC 27017 is an international code of practice that provides cloud-specific information security guidance, building on the controls in ISO/IEC 27002. It adds cloud-oriented implementation guidance plus additional controls that address the shared responsibilities between cloud service providers and their customers.

ISO 27017 isn’t certified on its own; it’s implemented alongside an ISO 27001 ISMS, and auditors can include it within the ISO 27001 certification scope. It’s a strong signal for providers and customers who want clarity on who secures what in the cloud.

What ISO 27017 adds

1

Shared responsibility

A clear split of security duties between provider and customer.

2

Cloud asset management

Return and removal of assets when a contract ends.

3

Virtualisation security

Segregation within shared and virtual environments.

4

Administrator operations

Monitoring of privileged cloud operations.

5

Customer monitoring

Visibility into relevant cloud activity for customers.

Who needs to comply?

ISO 27017 suits cloud service providers and cloud-consuming organisations that already run (or plan) an ISO 27001 ISMS and want to demonstrate cloud-specific security maturity.

How ISpectra helps

ISpectra extends your ISO 27001 ISMS with the ISO 27017 controls, documents shared-responsibility boundaries, and prepares the combined scope for audit.

Talk to an advisor