Cloud Security
Controls Certification
ISO/IEC 27017 provides cloud-specific information security controls for both cloud service providers and cloud service customers — extending ISO/IEC 27001 and ISO/IEC 27002 to address the unique security challenges of cloud computing environments.
What is ISO/IEC 27017?
ISO/IEC 27017 is a code of practice for information security controls applicable to the provision and use of cloud services. Published jointly by ISO and IEC, it provides guidance on the information security aspects of cloud computing — recommending and assisting in the implementation of cloud-specific information security controls.
The standard is structured as an extension to ISO/IEC 27002, providing additional implementation guidance for relevant controls where cloud computing introduces unique security considerations. It also includes seven new cloud-specific controls that are not found in ISO/IEC 27001's Annex A, addressing cloud-unique risks such as shared environments, data residency and virtual machine hardening.
ISO/IEC 27017 addresses both sides of the cloud relationship: cloud service providers (CSPs) — organisations that offer cloud infrastructure, platforms or software — and cloud service customers (CSCs) — organisations that use cloud services. Each control specifies what applies to the CSP, what applies to the CSC, and where responsibilities are shared.
Certification to ISO/IEC 27017 is typically achieved in combination with ISO/IEC 27001 — organisations establish their ISMS under ISO 27001 and then extend it to include the cloud-specific controls from ISO 27017, demonstrating comprehensive cloud security management to clients and regulators.
7 additional controls not in ISO 27001 Annex A addressing shared environments, virtual machine security and cloud-unique risks.
Controls specified for both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs) with shared responsibility mapping.
Builds directly on ISO/IEC 27001 ISMS — adds cloud security layer to an existing certified information security management system.
Addresses storage location, data portability, data deletion and jurisdiction — critical concerns for regulated industries and public sector clients.
Supports demonstration of appropriate technical measures for cloud-based personal data processing under UK GDPR and DPA 2018.
Cloud-Specific Controls
In addition to extending ISO/IEC 27002 controls with cloud-specific guidance, ISO/IEC 27017 introduces seven new controls that apply uniquely to cloud environments.
Clearly documented shared roles and responsibilities between the CSP and CSC for cloud security management.
Timely removal or return of cloud assets after contract termination — including data and configuration.
Segregation of virtual computing environments to prevent unauthorised access between tenants.
Hardening of virtual machines (VMs) to reduce the attack surface and protect against exploitation.
Security of cloud service administrator operational procedures — access logs, monitoring and change management.
Monitoring of activity in cloud services — audit logs, access monitoring and anomaly detection.
Alignment of the security management of virtual and physical networks used by the cloud service.
Benefits of ISO 27017 Certification
Cloud security certification demonstrates to clients, regulators and partners that cloud environments are managed with the rigour expected by international standards.
Demonstrates to cloud service customers that their data, workloads and applications are protected by internationally recognised cloud security controls.
Supports cloud-hosted personal data processors in demonstrating appropriate technical measures under UK GDPR, DPA 2018 and sector-specific data regulations.
ISO 27017 certification differentiates cloud service providers in procurement processes — increasingly required as a baseline security assurance by enterprise and public sector customers.
Extends existing ISO 27001 ISMS certification to cover cloud-specific risks — a natural progression for organisations already certified to the base information security standard.
Certified cloud providers reduce the vendor security assessment burden on their clients — providing independently verified evidence of cloud security practice.
Implementation of cloud-specific controls reduces the risk of data breaches, misconfigurations and cross-tenant incidents in shared cloud environments.
Certification contributes to achieving multiple United Nations Sustainable Development Goals (SDGs), supporting your organisation's sustainability commitments and ESG reporting.
ISO 27017 Certification Process
ISO/IEC 27017 certification is typically conducted alongside or as an extension to ISO/IEC 27001 certification. RBA Registrars can certify both standards in a combined audit programme.
Contact RBA Registrars to discuss whether you are a cloud service provider, cloud service customer, or both — and agree the scope of ISO 27017 alongside any existing or planned ISO 27001 certification.
RBA Registrars plans a combined ISO 27001 + ISO 27017 audit programme — or, if ISO 27001 is already in place, a targeted ISO 27017 extension audit covering the cloud-specific controls.
Review of ISMS documentation extended to include ISO 27017 cloud controls — shared responsibility model, virtual environment controls, data residency documentation and cloud-specific procedures.
Full implementation audit of both ISO 27001 ISMS controls and ISO 27017 cloud-specific controls — assessing actual practice in virtual environments, cloud administration, monitoring and tenant management.
Independent certification decision. RBA Registrars issues ISO/IEC 27001 and ISO/IEC 27017 certificates (or ISO 27017 recognition alongside existing certification), valid for three years.
Secure your cloud operations with ISO 27017.
Contact RBA Registrars for a combined ISO 27001 + ISO 27017 quotation.
Related Certifications
ISO/IEC 27017 builds on ISO/IEC 27001 and is complemented by other information security and management system standards.