AuditXYZ

Compliance Framework

ISO/IEC 27017:2015 Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services

ISO 27017 provides cloud-specific security controls and implementation guidance for cloud service providers and customers. Learn how it extends ISO 27001 for cloud environments.

$15,000–$80,0002–6 monthsAudit Required2015
Request a ConsultationSee process
Issuing BodyInternational Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)
First Published2015-12-15
Latest Version2015
Typical Cost$15,000–$80,000
Typical Timeline2–6 months
Audit RequiredYes
Audit FrequencyAudited as an extension to ISO 27001 surveillance and recertification cycles
Geographyglobal

ISO 27017: Cloud Security Controls Guide

ISO/IEC 27017 provides guidelines for information security controls applicable to the provision and use of cloud services. It extends ISO 27002 with cloud-specific implementation guidance and introduces seven additional controls unique to cloud computing.

What ISO 27017 Covers

The standard addresses security from both perspectives: cloud service providers (CSPs) and cloud service customers (CSCs). For each ISO 27002 control, ISO 27017 adds cloud-specific implementation guidance, clarifying responsibilities for each party.

Seven additional controls address cloud-specific concerns: shared roles and responsibilities, asset removal after contract termination, virtual environment segregation, virtual machine hardening, administrator operational security, cloud network monitoring, and alignment of security management across virtual and physical networks.

Who Needs ISO 27017

Cloud service providers seeking to differentiate on security should consider ISO 27017. It is particularly valuable for IaaS, PaaS, and SaaS providers that need to demonstrate cloud-specific security measures beyond what ISO 27001 alone covers.

Cloud customers in regulated industries also benefit, as ISO 27017 provides a framework for evaluating and managing cloud-related risks. Financial institutions and government agencies increasingly expect their cloud providers to hold ISO 27017 certification.

Certification Process

ISO 27017 is not a standalone certification. Organizations certify by extending their ISO 27001 scope to include ISO 27017 controls. This means you must have or be pursuing ISO 27001 certification first.

  1. Prerequisite — Establish an ISO 27001-certified ISMS
  2. Cloud risk assessment — Identify cloud-specific threats and vulnerabilities
  3. Control gap analysis — Map existing controls to ISO 27017 requirements
  4. Implement additional controls — Address the seven cloud-specific controls
  5. Extend audit scope — Include ISO 27017 in your next ISO 27001 audit cycle

Cost Considerations

For organizations already ISO 27001 certified, the incremental cost of adding ISO 27017 is modest. Primary expenses include additional consulting for cloud-specific gap analysis, documentation updates, and slightly expanded audit scope. Expect $15,000 to $30,000 in incremental costs for a mid-size cloud provider.

Get the ISO 27017 starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

iso-27001iso-27002iso-27018csa-star

Get matched with a ISO 27017 auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

CSA STAR
Framework
CSA STAR is the global cloud security assurance programme with three certification levels. This guide covers self-assessment, certification, attestation, and how STAR differentiates cloud providers.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
ISO 27002
Framework
ISO 27002 provides detailed implementation guidance for the 93 information security controls referenced by ISO 27001. Learn how to use it as your control selection and implementation companion.
View
ISO 27018
Framework
ISO 27018 sets controls for protecting personally identifiable information in public cloud services. Learn how it helps cloud providers demonstrate PII protection compliance.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View