85% of organizations are expected to face at least one cloud security incident by the end of 2024. 

Cloud environments are particularly susceptible to cybersecurity incidents and data breaches due to a combination of complex configurations, shared responsibility ambiguities, access control challenges, insecure APIs, data exposure risks, human error, and targeted attacks.

ISO 27017 provides a comprehensive framework to help organizations implement security practices specific to protecting cloud environments against these complex threats. By adopting the framework, organizations can systematically address the security challenges of cloud computing, ensuring a robust and reliable cloud security posture.

In this article, we'll explore the key aspects of ISO 27017 compliance, its benefits, control requirements, how it relates to ISO 27001, and the steps to achieve certification.

What is ISO/IEC 27017:2015?

ISO/IEC 27017:2015 is an information security standard for cloud services. It builds on the widely recognized ISO/IEC 27002 framework, which outlines general information security controls, by tailoring them specifically for cloud computing environments.

ISO/IEC 27017:2015 focuses on:

1. Cloud-specific controls: It offers specific guidance on the implementation of information security controls for cloud service providers (CSPs) and/or cloud service customers (CSCs).
2. Enhanced security measures: It includes additional security measures that address the unique risks and challenges associated with cloud computing, such as data isolation, virtual machine security, and cloud service administration.
3. Complementary to ISO 27001: While ISO 27017 focuses on cloud-specific controls, it is designed to be used in conjunction with ISO 27001, which provides the overall framework for an Information Security Management System (ISMS).

Implementation guidance: It provides practical advice on how to implement and manage these controls effectively to ensure the security of cloud services and data.

ISO 27017 vs ISO 27001/ISO 27002: How the standards relate

ISO 27017, ISO 27001, and ISO 27002 are all part of the ISO/IEC 27000 series of standards, which focus on information security management. Each standard has a specific role and purpose, complementing each other to provide a comprehensive approach to information security.

ISO 27001 is the main standard that outlines requirements for building an Information Security Management System (ISMS). It provides a systematic approach to safeguard sensitive information across people, processes, technologies, and risk management. Organizations can complete an external audit by an accredited certification body to become ISO 27001 certified.

ISO 27002 is a supplementary guidance framework for ISO 27001, diving into the specifics of security controls organizations can implement to build, maintain, and continuously improve its ISMS based on their specific needs and risk assessments.

ISO 27017 further builds on ISO 27001 by providing additional controls and guidance specific to cloud computing environments. Organizations that are building and/or maintaining an ISMS based on ISO 27001 can use ISO 27017 to ensure effective cloud security controls.

By integrating ISO/IEC 27017 with ISO 27001, organizations can ensure a strong security posture that provides comprehensive coverage of information security controls, including those unique to cloud services.

Should your organization implement ISO 27017?

ISO 27017 compliance is not mandatory or legally required. However, many organizations choose to implement ISO 27017 because of the associated benefits, including:

• Enhanced cybersecurity for cloud infrastructure: Implementation of cloud-specific controls helps organizations protect sensitive information against cloud-related threats and vulnerabilities.
• Improved risk management for cloud-specific threats: ISO 27017 provides a structured approach to identifying, assessing, and mitigating risks specifically associated with cloud computing.
• Increased trust and credibility: ISO 27017 compliance demonstrates to customers, partners, and stakeholders that the organization follows best practices for cloud security, building trust, confidence, and loyalty.
• Align with existing standards and regulatory requirements: Because it complements ISO 27001, organizations can build on their existing ISMS and enhance their security measures for cloud services. Although it does not guarantee compliance, ISO 27017 also helps organizations meet many of the legal and regulatory requirements related to cloud data protection.
• Competitive differentiation: ISO 27017 certification can provide valuable competitive differentiation, highlighting the organization’s commitment to cloud data security best practices.
• Operational efficiency: Standardized security controls and processes can lead to more efficient operations and fewer security incidents. A culture of continuous improvement in cloud security practices also helps organizations be proactive and stay ahead of emerging threats and vulnerabilities.

Determining whether your organization would benefit from ISO 27017 compliance ultimately comes down to your current cloud security practices, business needs, and customer requirements.

Here are some questions you can ask yourself to help decide if ISO 27017 compliance is a smart choice for your organization:

• Does your organization heavily rely on cloud services for critical operations and data storage? Is your organization planning to expand its use of cloud services, and do you want to ensure robust security practices are in place from the start?
• If you are using multiple cloud service providers, is there a need for standardized security practices across them?
• Have you experienced or are you concerned about potential data breaches or security incidents related to cloud services? Do you have a structured approach to managing cloud-specific risks?
• Are there legal, regulatory, or industry standards that mandate or recommend specific security measures for cloud services? Are you in a highly regulated industry (e.g., finance, healthcare) with stringent data protection requirements?
• Do your customers or partners expect or prefer cloud service providers that adhere to recognized security standards like ISO 27017? Could demonstrating compliance with ISO 27017 enhance your credibility and attract more customers by showcasing your commitment to cloud security?
• Do you have the necessary resources and expertise to implement and maintain compliance with ISO 27017?
• Are you already compliant with ISO 27001 and want to enhance your ISMS to cover cloud-specific controls?

If your answers indicate a significant reliance on cloud services, a need for more secure cloud security practices, customer demand for security assurances, or regulatory pressures, then pursuing ISO 27017 compliance would likely benefit your organization.

Organizations that Benefit from ISO 27017

1. Cloud Service Providers (CSPs): Organizations that offer cloud-based services (IaaS, PaaS, SaaS) and want to ensure they meet international standards for information security. CSPs aiming to demonstrate their commitment to securing client data and managing cloud-specific risks effectively.
2. Cloud Service Customers (CSCs): Organizations that use cloud services and want to ensure that their service providers adhere to best practices for information security. CSCs that need to manage their own responsibilities in the shared security model of cloud computing.
3. Organizations Transitioning to the Cloud: Companies moving their operations or data to the cloud and seeking to establish robust security practices tailored to cloud environments.
4. Highly Regulated Industries: Sectors with strict data protection and security requirements (e.g., finance, healthcare, government) that need to comply with regulatory standards and safeguard sensitive information.

ISO 27017 requirements and controls

ISO 27017 requirements build on the control groups established by ISO 27002, enhancing these controls with additional implementation guidance tailored for cloud services. Below you’ll find some examples of ISO 27017 control objectives.

1. Organizational controls

Shared Roles and Responsibilities within Cloud Computing Environment

• Control Objective: Clearly define and document the shared roles and responsibilities of cloud service providers (CSPs) and cloud service customers (CSCs). Ensure all parties understand their respective responsibilities for implementing and maintaining security controls.

2. Asset management

Removal and Return of Cloud Service Customer Assets

• Control Objective: Establish procedures for the removal and return of CSC assets upon termination of a cloud service. Ensure secure and complete return or deletion of customer data and assets.

Protection and Separation of Customer’s Virtual Environment

• Control Objective: Implement mechanisms to protect and isolate CSCs' virtual environments from each other. Prevent unauthorized access and ensure data isolation between different customers using shared infrastructure.

Cloud Customer Monitoring of Activity

• Control Objective: Implement enhanced logging and monitoring mechanisms specific to cloud environments to capture and analyze security-relevant events, ensuring that logs are protected from tampering and unauthorized access. Ensure that cloud service activities are logged and monitored to detect and respond to security incidents effectively.

The ISO 27017 certification process

The ISO/IEC 27017 certification process closely mirrors the process for ISO 27001 certification, including control implementation, audit prep, and Stage 1 and Stage 2 audits and the three year certificate lifecycle. Moreover, ISO 27017 is an extension of ISO 27001, therefore, an organization that wants to be certified on ISO 27017 must either already be ISO 27001 certified or certify for both ISO 27001 and 27017 at the same time. 

Let’s dive into a detailed overview of the process:

Step 1: Gap analysis

The first step in achieving ISO 27017 compliance is to compare your current cloud security practices to ISO 27017 requirements and determine if any gaps exist.

Identify any areas where your practices do not meet the standard's requirements, then develop a remediation plan to address the identified gaps. Be sure to specify timelines, resources needed, and who is responsible for implementation.

Step 2. Control implementation

Next it’s time to implement the necessary cloud-specific controls. Ensure that both CSPs and CSCs understand and fulfill their respective responsibilities.

Create or update documentation to reflect the implemented controls, including policies and procedures, and ensure that documents are accessible to relevant stakeholders.

If necessary, conduct personnel training sessions to raise awareness about the importance of cloud security, specific cloud security risks facing the business, and the specific policies and processes being implemented to ensure personnel understand their roles and responsibilities.

Step 3. Internal audit

Once you’ve implemented controls and closed any gaps in your compliance posture, perform an internal audit to determine the effectiveness of the controls you’ve implemented. Assess how your cloud security controls operate in practice and document any corrective actions.

Present audit findings to senior management to demonstrate that company leadership is committed to providing the necessary support for ISO 27017 compliance.

Step 4. Certification audits

Now that you’re ready for an external certification audit, you’ll need to choose an accredited certification body to conduct the examination. Choose a certification body that is recognized and has experience with ISO 27017.

Similar to ISO 27001, the initial ISO certification audit itself is broken into two stages. 

Stage 1 Audit (Pre-assessment):

The certification body conducts a preliminary audit to review your documentation and preparedness for the full audit. Any issues identified during this stage must be remediated before proceeding to the Stage 2 audit.

Stage 2 Audit (Certification audit):

The auditor performs a comprehensive assessment of the implementation and effectiveness of your cloud security controls. This step will include interviews, observations, and tests of controls.

If the certification body is satisfied with the audit results, it will issue an ISO/IEC 27017 certification. This certificate is typically valid for three years, with annual surveillance audits between certifications to ensure ongoing compliance with ISO 27017 and address any identified non-conformities.

After the initial certification audit, a three-year certificate lifecycle follows. You can find more details on the ISO 27001 certification process here.

Step 5. Continuous improvement

Organizations must continuously monitor and improve their cloud security practices. During this time it’s important to ensure that all cloud security practices remain effective and compliant with the standard, and fully document any changes made to systems and controls.

At the end of the three-year certification period, a recertification audit will be required to renew ISO 27017 certification.

Automate ISO 27017 compliance with Secureframe 

Secureframe’s powerful security and compliance automation platform supports dozens of security frameworks, including ISO 27017, making it faster and easier to get ISO 27017 certified and demonstrate a strong cloud security posture. 

• Integrate Secureframe with your tech stack to quickly map controls to the ISO 27017 framework, assess your level of compliance, and identify gaps in your security posture  
• Leverage artificial intelligence to automate compliance processes like completing risk assessments and generating policies
• 200+ deep integrations automatically collect audit evidence to streamline audit prep
• Continuously monitor controls to assess and maintain compliance year after year
• Get dedicated support and tailored guidance from security and compliance experts at every step 

Learn more about how our platform and team of experts can help you achieve ISO 27017 and ISO 27001 compliance, or schedule a demo to speak with a product specialist.