Definition and purpose

The purpose of ISO/IEC 27017 is to create a safer cloud computing environment by offering security best practices for cloud service providers and users. These practices are meant to mitigate potential risks associated with the cloud service delivery model and protect the confidentiality, integrity, and availability of data.

Governing Body

ISO/IEC 27017 is developed and published by the International Organization for Standardization (ISO) in collaboration with the International Electrotechnical Commission (IEC).

Last updated

ISO/IEC 27017 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that use cloud services or provide cloud platforms.

Applies to

ISO/IEC 27005 applies to all organizations, regardless of size, type, or nature, that wish to manage risks in a systematic manner within the framework of an ISMS. It is relevant to organizations that manage information security risks, whether they are private, not-for-profit, or governmental entities.

Controls and requirements

The standard provides a set of cloud-specific controls, in addition to those in ISO/IEC 27002, and includes the following:

• Shared Roles and Responsibilities: The division of information security responsibilities between the cloud service provider and the customer.
• Removal/Return of Assets: Processes for returning or destroying customer assets when the service contract ends.
• Protection of Virtual Machines: Guidelines on the secure set-up and protection of virtual machines.
• Monitoring of Cloud Services: Requirements for monitoring the effectiveness of the cloud service security.
• Alignment with Cloud Security Principles: Ensuring cloud services align with recognized security principles for risk assessment and treatment.

Please refer to the official ISO/IEC 27017:2015 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits involve an evaluation of an organization's cloud services and operations against the ISO/IEC 27017 guidance, which can be conducted internally or by third-party auditors. The frequency of audits will depend on the organization's risk assessment results, the level of change within the cloud services or organization, or regulatory requirements. Often, these are conducted annually.

The duration of an ISO/IEC 27017 audit varies based on the size and complexity of the cloud services being used or provided, the number of services in scope, and the maturity of the organization's security practices.