ISO 27017
Cloud Information Security
What is ISO 27017?
ISO/IEC 27017 is an international standard that extends ISO 27001, focusing on information security in cloud environments. It provides additional guidelines for both cloud service providers and their customers, helping to secure data processed under SaaS, PaaS, and IaaS models.
The standard was developed in response to the growing use of cloud services and the need to standardize security measures in this IT delivery model.
What Does ISO 27017 Cover?
ISO 27017 includes:
- best practices for cloud risk management
- recommendations on access control for cloud resources
- rules for secure data storage, encryption, and deletion
- guidance on roles and responsibilities between provider and client (for example, who is responsible for which aspects of security)
- requirements for monitoring and responding to incidents in cloud environments
The standard includes 37 detailed controls that complement ISO 27001.
Who Is ISO 27017 For?
ISO 27017 is intended for:
- companies providing cloud services (SaaS, PaaS, IaaS, infrastructure providers)
- organizations storing data in the cloud that want to ensure proper security management
- software houses building cloud-based B2B solutions
Benefits of Implementing ISO 27017
Increased security of cloud-stored data
Clear division of responsibilities between the client and the cloud provider (e.g. Amazon Web Services, Microsoft Azure)
Reduced risk of misconfiguration or unauthorized access
Better preparation for external audits or regulatory requirements (e.g. GDPR, DORA, NIS2)
Competitive advantage when offering cloud-based solutions
ISO 27017 Implementation Stages
Analysis of the current cloud environment
- identifying assets, data, and sensitive points
Risk assessment and selection of security controls
- adapting the 37 ISO 27017 controls to your cloud infrastructure
Defining responsibilities and security policies
- for example, who manages backups, who monitors data access
Training for IT teams and users
- secure use of cloud services, incident response procedures
Integration with ISO 27001 (if already implemented)
- unified Information Security Management System (ISMS)
FAQ – Frequently Asked Questions
Is ISO 27017 mandatory?
No, but it is increasingly expected by corporate clients, especially when sensitive data is processed in the cloud.
Do I need ISO 27001 to implement ISO 27017?
Yes, ISO 27017 is an extension of ISO 27001, so it must be implemented together or added to an existing ISMS.
Which cloud platforms are covered by ISO 27017?
The standard is technology-neutral. It can be applied regardless of whether you use AWS, Azure, Google Cloud, OVH, or any other provider.
Does the standard cover backups and data deletion?
Yes, ISO 27017 defines how to securely back up data and permanently delete it from cloud resources.
Request a Quote
Contact details
