As I was discussing cloud governance with a client recently, a recurring question came up: “We have ISO 27001, so why do we need ISO 27017?” It’s a fair question. While ISO/IEC 27001 provides the foundational framework for an Information Security Management System (ISMS), the unique risks of cloud environments, including multi-tenancy, shared responsibility, and virtualization, require a more specialized lens.
ISO/IEC 27017:2015 serves as that lens. It is a “code of practice” that provides specific implementation guidance for both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs). In this blog, we will break down the relationship between these standards, the unique controls introduced by 27017, and what the upcoming 2025 transition means for your organization.
What Is ISO/IEC 27017?
ISO/IEC 27017:2015 is a code of practice, not a standalone certifiable standard. It provides specialized implementation guidance for both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs). Think of it as a specialized extension that “plugs into” your existing ISO 27001 ISMS to address the “murky” areas of cloud security that generic standards often overlook.
What Is the Difference Between ISO/IEC 27017 & ISO/IEC 27001?
It is important to distinguish between a “Management System Standard” and a “Code of Practice.” ISO 27001 is the former, as it defines the requirements for the ISMS system itself. ISO 27017 is the latter; it supplements ISO 27001 and ISO 27002 by providing enhanced guidance for 37 existing controls and introducing seven entirely new cloud-specific controls.
Because it is a code of practice, an entity cannot be certified to ISO 27017 in isolation. Instead, certification is achieved by extending the scope of your ISO 27001 ISMS to include these cloud-specific requirements. The result is a combined certificate that demonstrates your commitment to cloud security best practices.
What Is the Difference Between ISO/IEC 27017 & SOC 2?
When organizations evaluate their compliance options, one of the most common debates is whether to pursue an ISO 27017 certification extension or a SOC 2 Type II attestation. While both frameworks aim to validate a robust cloud security posture, they differ significantly in their geographic preference and the reporting artifacts they produce.
SOC 2 is a staple in the North American market and results in a detailed attestation report, sometimes 50 pages or more, that includes the auditor’s specific tests and results across the Trust Services Criteria. In contrast, ISO 27017 is an internationally recognized certification that results in a concise, 1-2 page certificate stating that your management system meets global best practices.
Furthermore, their life cycles differ: a SOC 2 report is typically refreshed every 12 months to avoid being considered “stale,” whereas ISO follows a three-year certification cycle with annual surveillance audits. For many SaaS providers, pursuing both is the ultimate way to satisfy both domestic and global procurement requirements.
What Are the Seven Unique Cloud Security Controls?
If ISO 27017 is the right path for your company, it’s time to learn the unique controls that lie within it. The core value of ISO 27017 lies in its seven “CLD” controls, which address the technical complexities of the cloud:
CLD.6.3.1: Shared Roles & Responsibilities
This mandates a documented “Shared Responsibility Model.” It clarifies exactly who is responsible for patching, logging, and data encryption, and eliminates the “security gap” where both parties assume the other is handling a control. This CLD mandates a documented “Shared Responsibility Model” between the provider and customer.
- Auditor Expectation: A clear responsibility matrix (RACI) that specifies who is responsible for patching the guest OS, managing encryption keys, and monitoring logs.
- Audit Insight: A common pitfall is the “implied” responsibility. I often see gaps where both parties assume the other is handling vulnerability scanning for the application layer.
CLD.8.1.5: Removal of Cloud Assets
When a contract ends, how do you ensure your data is actually gone? This control requires procedures for the secure return or deletion of customer assets, ensuring data doesn’t persist on shared storage. This ensures that data is securely returned or deleted when a contract ends.
- Auditor Expectation: Documented decommissioning procedures and evidence of execution, such as certificates of data destruction or automated erasure logs.
- Audit Insight: Failed cloud exit planning is a major risk. Auditors look for specific timelines in service agreements regarding how long data persists after termination.
CLD.9.5.1: Segregation in Virtual Environments
For CSPs, this requires logical isolation between tenants to prevent “cross-tenant” attacks. For customers, it involves using tools like Virtual Private Clouds (VPCs) and security groups. CSPs must isolate customer data in multi-tenant environments.
- Auditor Expectation: Configuration evidence of logical isolation, such as Virtual Private Clouds (VPCs), micro-segmentation, and security group rules.
CLD.9.5.2: Virtual Machine Hardening
This requires secure configuration baselines for VMs. Auditors look for “golden images” and automated configuration scripts (like Terraform) that ensure every VM is hardened before production. This requires secure configuration baselines for every virtual machine (VM).
- Auditor Expectation: The use of “Golden Images” or “Hardened Images” based on benchmarks like CIS or NIST. We often inspect Terraform or Packer scripts used to automate this hardening.
CLD.12.1.5: Administrator’s Operational Security
This focuses on the vast power of cloud admins. It mandates strict access controls, multi-factor authentication (MFA), and transparency regarding how a provider’s internal staff accesses customer data. This focuses on the security of privileged administrative accounts.
- Auditor Expectation: Evidence of Multi-Factor Authentication (MFA) for all root/admin accounts and logs showing “Just-in-Time” (JIT) access approvals.
CLD.12.4.5: Monitoring of Cloud Services
Effective detection requires the CSP to provide relevant logs (like API or network flow logs) and the customer to ingest and analyze them for suspicious patterns. Both parties must monitor the environment for security events.
- Auditor Expectation: Proof that the CSP provides relevant logs (like AWS CloudTrail or Azure Monitor) and that the customer is actually ingesting and alerting on those logs.
CLD.15.1.3: Alignment of Network Security
This ensures that security management remains consistent across both physical on-premises networks and virtual cloud networks, maintaining a unified security posture. This ensures consistency between virtual and physical network management.
- Auditor Expectation: Unified network security policies that govern both on-premises firewalls and cloud-native security groups
The Road to Certification: A Step-by-Step Roadmap
For organizations ready to pursue this extension, we typically see a structured approach to determine their audit readiness:
- Gap Analysis & Risk Assessment: Evaluate your current ISMS against the 27017 requirements and identify cloud-specific threats.
- Update the Statement of Applicability (SoA): The SoA must be updated to include the 37 enhanced and 7 unique 27017 controls.
- Team Formation: Appoint an ISO Lead and engage stakeholders across IT, Legal, and HR.
- Control Remediation: Implement technical fixes, such as automated VM hardening or updating your IAM policies.
- Training & Awareness: Ensure staff are trained on cloud-specific incident reporting and secure coding practices.
- Internal Audit: Conduct a full review to verify that controls are operating effectively before the external audit.
- External Certification Audit: An accredited body, such as Linford & Company, conducts a two-stage audit (Documentation Review followed by Effectiveness Testing).
Is ISO/IEC 27017:2015 Being Replaced or Updated?
The landscape of international standards is evolving. As of late 2025, ISO/IEC 27017 is undergoing a major revision to align with the updated ISO/IEC 27002:2022 control set.
The second edition, currently in the Draft International Standard (DIS) stage, will introduce updated guidance for modern technologies like serverless computing and container orchestration. If you are currently certified, don’t panic; organizations certified to the 2015 edition will likely have a three-year transition window once the new version is finalized, expected in early 2026.
Frequently Asked Questions About ISO/IEC 27017
These are some of the most common questions clients ask us about ISO 27017.
Is ISO 27017 a Certification?
Technically, no, you cannot receive a standalone certificate for ISO 27017. Instead, certification is achieved by extending the scope of your ISO 27001 audit. When an organization successfully implements these controls, the resulting ISO 27001 certificate will explicitly reference ISO 27017 in the scope statement or on the face of the certificate.
Can I Get ISO 27017 Without ISO 27001?
No. ISO 27017 is a code of practice that must be implemented as an extension of an existing ISO 27001 ISMS.
Is ISO 27017 a Legal Requirement?
While not legally mandated, it is often a contractual requirement for enterprise vendors and serves as a strong signal for GDPR and HIPAA alignment.
What Is the “Shared Responsibility” Pitfall?
A big risk is assuming your CSP handles a control (like backups) when the CSP contract might actually place that responsibility on the customer. ISO 27017 forces these conversations to be documented.
Taking the Next Step with ISO 27017
ISO/IEC 27017:2015 is more than a checklist; it is a strategic framework that clarifies accountability and secures the modern cloud ecosystem. Whether you are a Company looking to win enterprise contracts or aiming to protect sensitive workloads, this standard provides the structure necessary to build a resilient, trust-based cloud presence.
If you are interested in learning more, reach out to me, Rhonda Willert, or any of our partners here at Linford & Company. We are an accredited firm with the expertise to guide you through your ISO and cloud security certification needs efficiently and effectively.
Rhonda is a Partner at Linford & Co. delivering risk services, compliance attestations, and certification engagements. Rhonda has her CPA, CISSP, CISA, ISO Lead Auditor Certification, and her PMP certification. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance and delivers excellent client service. Rhonda actively supports clients in all industries and focuses on compliance frameworks such as SOC 1, SOC 2, HIPAA, HITECH, ISO/IEC 27001:2022, ISO/IEC 27017, ISO/IEC 27018, NIST 800-171, and HITRUST.