What is ISO/IEC 27017?

securityISO/IEC 27017 is aimed at cloud service providers and organizations with cloud infrastructure (their own or via a cloud service provider). The standard suggests additional security controls for the cloud that ISO 27002 and Annex A of ISO 27001 do not adequately cover.

Used with ISO/IEC 27001 series  of standards, ISO/IEC 27017 provides enhanced controls for cloud service providers and cloud service customers. Unlike many other technology-related standards ISO/IEC 27017 clarifies both party’s roles and responsibilities to help make cloud services as safe and secure as the rest of the data included in a certified information management system.

What does ISO/IEC 27017 provide?

This standard provides cloud-based guidance on 37 of the controls in ISO/IEC 27002 but also features seven new cloud controls that address the following:

  1. Who is responsible for what between the cloud service provider and the cloud customer
  2. The removal/return of assets when a contract is terminated
  3. Protection and separation  of the customer’s virtual environment
  4. Virtual machine configuration
  5. Administrative operations and procedures associated with the cloud environment
  6. Cloud customer monitoring of activity within the cloud
  7. Virtual  and cloud network environment alignment


If you work for a cloud service provider or are looking to move your business to the cloud, our ISO 27017 whitepaper can help you understand the key areas of the standard, more about the seven new controls and how organizations can benefit from ISO/IEC 27017.

How will a cloud service provider benefit from ISO/IEC 27017 certification?

  • Inspires trust in your business  – provides greater reassurance to your customers and stakeholders that data and information is protected
  • Competitive advantage – demonstrates robust controls are in place to protect data
  • Protects your brand reputation – reduces the risk of adverse publicity due to data breaches
  • Protects against fines – ensures that local regulations are complied with reducing the risk of fines for data breaches
  • Helps grow your business – provides common guidelines across different countries making it easier to do business globally and gain access as a preferred supplier

How will cloud service customers benefit from ISO/IEC 27017 training?

ISO/IEC 27017 is a unique technology standard in that it provides requirements for the customer as well as the cloud service provider.  IT Managers and other technical staff responsible for moving organizations to the cloud or expanding a cloud service engagement can reduce risks to their business by ensuring they understand their responsibilities and make more insightful decisions around their choice of provider(s). 

Why choose us?

BSI (British Standards Institution) is the business standards company that equips businesses with the necessary solutions to turn standards of best practice into habits of excellence. Formed in 1901, BSI was the world’s first National Standards Body and a founding member of the International Organization for Standardization (ISO). Over a century later it continues to facilitate business improvement across the globe by helping its clients drive performance, manage risk and grow sustainably through the adoption of international management systems standards, many of which BSI originated. Renowned for its marks of excellence including the consumer recognized BSI Kitemark, BSI’s influence spans multiple sectors including aerospace, automotive, built environment, food, healthcare and ICT. With over 80,000 clients in 172 countries, BSI is an organization whose standards inspire excellence across the globe.

Our clients choose us:

  • For our unique client management structure
  • For our expertise
  • For our integrity
  • Because we are performance minded
  • For our expert assessors