Skip to main content
Apply cloud-specific security controls as an extension to ISO 27001.
ISO/IEC 27017 is a code of practice that provides cloud-specific information security controls. It supplements the guidance in ISO 27002 with additional controls and implementation guidance for both cloud service providers and cloud service customers.
ISO 27017 is not independently certifiable — it is implemented alongside an ISO 27001 ISMS to address cloud-specific risks.

Who needs ISO 27017:2015?

Cloud providers

Organizations offering cloud services that want to demonstrate cloud-specific security.

Cloud customers

Organizations using cloud services that need guidance on their security responsibilities.

Key components

Shared responsibility

Clarifies the division of security responsibilities between provider and customer.

Cloud controls

Additional implementation guidance for 37 ISO 27002 controls in a cloud context.

Seven new controls

Cloud-specific controls not found in ISO 27002, such as virtual machine hardening.

Customer guidance

Helps customers understand and configure their cloud security posture.

How DSALTA helps with ISO 27017:2015

1

Activate ISO 27017

Select ISO 27017 alongside your ISO 27001 ISMS. DSALTA maps cloud controls.
2

Review cloud controls

Review the cloud-specific controls and assign owners.
3

Collect evidence automatically

Connect cloud integrations to gather evidence for cloud controls.
4

Approve policies

Review and approve cloud security policies.
5

Prepare for audit

Share cloud control evidence with your certification body.

Frequently asked questions

No. It is implemented as an extension to ISO 27001 and assessed as part of that certification.
27017 covers cloud security broadly, while 27018 focuses specifically on protecting personal data (PII) in public clouds.