verified_user
Standardful
Homechevron_rightStandardschevron_rightISO/IEC 27017:2015
ActiveInternational Standardupdate Standard Updated: Dec 2015fact_check Fact checked: Jun 28, 2026

ISO/IEC 27017:2015

Code of practice for information security controls based on ISO/IEC 27002 for cloud services

apartmentPublishing Organization:International Organization for Standardization (ISO)

Standard Introduction

ISO/IEC 27017:2015 is an active standard published by International Organization for Standardization (ISO). It is commonly used across Technology, Services, Finance & Banking, Healthcare and applies in Global.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with ISO/IEC 27017:2015.

cloud

Cloud-Specific Controls

Provides 7 additional controls beyond ISO 27002, addressing shared responsibility, virtual machine hardening, customer asset removal, and virtual environment segregation.

handshake

Shared Responsibility Model

Clearly delineates security responsibilities between cloud service providers and cloud service customers — a critical distinction often misunderstood in cloud deployments.

visibility

Customer Monitoring

Requires cloud providers to enable customers to monitor relevant activities within their cloud environment, supporting transparency and compliance verification.

list_alt Key Control Areas

  • Shared roles and responsibilities in cloud environments
  • Virtual machine hardening and isolation requirements
  • Customer asset removal upon contract termination
  • Virtual environment segregation between tenants
  • Cloud administrative operations procedures
  • Customer activity monitoring capabilities
  • Alignment of virtual and physical network security
  • Guidance for both cloud service providers and customers

Who Needs to Comply?

groups

Cloud service providers (IaaS, PaaS, SaaS) and organizations consuming cloud services that need to demonstrate robust cloud security controls. Especially relevant for technology companies, financial services, healthcare, and government agencies.

Key Requirements

1

Responsibility Delineation

Clearly define and document the division of information security responsibilities between the cloud service provider and the cloud service customer. Ensure both parties understand their respective obligations.

2

Virtual Environment Isolation

Implement controls to ensure adequate separation of virtual environments between different cloud service customers. Prevent unauthorized access across tenant boundaries.

3

Asset Management on Termination

Establish and communicate procedures for the return or secure deletion of customer assets, data, and configurations when a cloud service agreement ends or transitions to another provider.

4

Cloud Operations Security

Implement procedures for administrative operations specific to cloud computing environments, including monitoring of cloud resources, logging of cloud-specific events, and hardening of virtual machines.

Implementation Roadmap

1
Phase 1schedule Duration: 2-4 weeks

Define cloud security roles

Identify cloud services, shared-responsibility boundaries, cloud service customer and provider obligations, tenants, platforms, regions, administrators, and dependencies on ISO/IEC 27001 and ISO/IEC 27002 controls.

2
Phase 2schedule Duration: 4-8 weeks

Map cloud-specific controls

Assess current controls against ISO/IEC 27017 guidance for customer asset handling, virtual environment protection, administrator operations, tenant separation, monitoring, hardening, deletion, and provider-customer coordination.

3
Phase 3schedule Duration: 8-16 weeks

Implement operational evidence

Update cloud policies, contracts, configuration baselines, IAM, logging, vulnerability management, incident response, change control, secure deletion, and customer responsibility documentation.

4
Phase 4schedule Duration: Ongoing

Integrate into ISMS assurance

Include cloud controls in ISO 27001 risk treatment, supplier reviews, internal audits, management reviews, service changes, new regions, and customer assurance packages.

Compliance Checklist

0 / 12

checklist Cloud scope

checklist Control implementation

checklist Assurance

Penalties & Enforcement

warning

No direct legal penalties — ISO/IEC 27017 is a voluntary code of practice (not independently certifiable). However, it supplements ISO 27001 certification and is increasingly expected by enterprise customers and regulators evaluating cloud security posture.

Frequently Asked Questions

What does ISO/IEC 27017 cover?

expand_more

ISO/IEC 27017 provides cloud-specific implementation guidance and additional controls based on ISO/IEC 27002 for both cloud service providers and cloud service customers.

Can an organization be certified only to ISO 27017?

expand_more

ISO 27017 is usually used as an extension or assurance layer alongside an ISO 27001 information security management system rather than as a standalone management-system certification.

What is shared responsibility?

expand_more

Shared responsibility defines which security controls are handled by the cloud provider and which remain with the customer. ISO 27017 helps make those boundaries explicit through contracts, documentation, and operational controls.

Which controls are most cloud-specific?

expand_more

Typical focus areas include virtual environment protection, tenant separation, administrator operations, monitoring, customer asset return or deletion, cloud service configuration, and coordination between provider and customer.

How should customers use provider certifications?

expand_more

Provider certifications are useful assurance evidence, but customers still need to configure services securely, manage identities, classify data, monitor usage, and document their own responsibilities.

Official Documentation

View All

Implementation Timeline

description
2005
ISO/IEC 27002 published as the base code of practice
security
2013
ISO/IEC 27001:2013 establishes ISMS framework for cloud providers
check_circle
Dec 2015
ISO/IEC 27017:2015 published with cloud-specific guidance
update
2022
ISO/IEC 27002:2022 published — updated base control set
cloud
2023
Major cloud providers (AWS, Azure, GCP) maintain ISO 27017 attestations

Related Categories