ISO/IEC 27017:2015 is an international code of practice for information security controls for cloud services. It supplements ISO/IEC 27002 with cloud-specific implementation guidance and adds seven controls unique to cloud computing, addressing both cloud service providers and cloud service customers.

Is ISO 27017 separately certifiable?

ISO 27017 is not a standalone management-system standard — it is assessed as an extension of an ISO/IEC 27001 ISMS. Organizations typically add 27017 (and often 27018) to the scope of their ISO 27001 audit.

Cloud service providers that want to demonstrate strong cloud security practices, and cloud customers that want a recognized framework for governing their use of cloud services. It is common alongside SOC 2 and the CSA STAR program.

How does it relate to ISO 27018?

ISO 27017 focuses on cloud security broadly, while ISO 27018 focuses specifically on protecting personally identifiable information (PII) in public clouds. Many organizations adopt both as extensions of the same ISO 27001 ISMS.

Cloud security, ISO-aligned

Extend your ISMS with ISO 27017 cloud controls

ISO/IEC 27017:2015 adds cloud-specific guidance on top of ISO 27002 — shared responsibility, virtualization, and admin operations — assessed alongside your ISO 27001 certificate.

Start free trial Book a demo

What is ISO 27017?

ISO/IEC 27017:2015 is the international code of practice for cloud security. It does not stand on its own — it supplements ISO/IEC 27002 by adding cloud-specific implementation guidance to existing controls and introducing seven additional controls that apply only to cloud computing. It is written for both cloud service providers and cloud service customers, making the shared-responsibility model explicit.

What it adds

For many ISO 27002 controls, 27017 provides cloud-specific guidance — how the control applies when infrastructure, platform, or software is consumed as a service. On top of that, it adds cloud-only controls covering areas such as the shared roles and responsibilities between provider and customer, removal and return of customer assets at contract termination, segregation in virtualized environments, virtual machine hardening, and the monitoring of cloud administrative operations.

How it's assessed

Because 27017 is an extension rather than a standalone standard, it is assessed as part of an ISO/IEC 27001 audit. Organizations add 27017 — and frequently ISO 27018 for PII — to the scope of their existing ISMS, so a single certification effort covers information security and cloud-specific controls together.

How episki helps

episki layers ISO 27017 onto your ISO 27001 ISMS: a shared-responsibility matrix for each cloud service, cloud-specific guidance mapped to your ISO 27002 controls, and evidence reused across SOC 2 and the CSA Cloud Controls Matrix — so cloud security is an extension of your program, not a second one.

ISO 27017 outcomes with episki

Quantify the impact security and compliance brings to your business.

37 + 7

ISO 27002 controls with cloud guidance, plus 7 cloud-specific controls.

Shared model

Provider and customer responsibilities documented per control.

27001 add-on

Assessed as an extension of your ISO 27001 ISMS, not a separate program.

Why teams choose episki for ISO 27017

Framework-specific automation, collaboration, and reporting in one workspace.

Cloud controls on your ISMS

ISO 27017 builds on ISO 27002 with cloud-specific implementation guidance.

Cloud-specific guidance for relevant 27002 controls
Seven additional cloud-only controls
Assessed alongside ISO 27001

Shared responsibility, documented

Make the provider/customer split explicit for every cloud control.

Provider vs. customer responsibility per control
Virtualization and segregation controls
Administrative operations and monitoring

Reuse your security evidence

27017 leans on the controls you already maintain for 27001 and SOC 2.

Evidence shared with ISO 27001 / 27018
Crosswalk to SOC 2 and CSA CCM
One audit, broader scope

ISO 27017 readiness inside episki

What a cloud provider or customer needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ ISO 27001 ISMS in place or in progress
✓ Shared-responsibility matrix per cloud service
✓ Cloud-specific control guidance applied
✓ Virtualization segregation and hardening controls
✓ Administrator operations logging and monitoring
✓ Customer data return and removal on contract exit

ISO 27017 accelerators

Cloud control accelerators

Layer cloud controls onto your ISMS without a parallel project.

Shared-responsibility matrix

Document provider and customer duties for every cloud control.

Cloud control guidance

Cloud-specific implementation notes mapped to your ISO 27002 controls.

ISO 27001 crosswalk

Reuse your ISMS evidence to satisfy the 27017 extension.

ISO 27017 frequently asked questions

Add ISO 27017 to your ISMS in episki

Extend your ISO 27001 program with cloud controls and reuse the evidence across SOC 2 and CSA CCM.

Start free trial Book a walkthrough