Most of the time on the Ignyte blog, we talk about overarching security frameworks like FedRAMP, CMMC, and ISO 27001. Sometimes, though, it’s worth digging deeper into smaller-scale elements of these frameworks. Today’s target is ISO 27017, the ISO/IEC publication focusing on cloud service security. What does this document entail, who needs to use it, and what does compliance involve? Let’s discuss.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontISO 27017 offers guidance for implementing cloud service security based on ISO 27002 controls. It highlights best practices for cloud service providers and customers to ensure data protection and risk management. Key elements include establishing clear security roles, ensuring data handling awareness, managing user access and authentication, implementing cryptographic controls, and maintaining legal compliance. While not mandatory, ISO 27017 remains relevant as a supplementary guide alongside ISO 27001 and ISO 27002 for effective cloud security practices.
What is ISO 27017?
ISO/IEC 27017 is formally known as “Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services”.
Helpful? Well, it can help to know what ISO 27002 is, then. “Information security, cybersecurity and privacy protection – Information security controls.”
ISO 27002 is a complementary document for ISO 27001, which is the overall guide for developing an Information Security Management System according to security areas outlined throughout its contents. ISO 27002 is a rundown of all of the areas of security and the best practices that should be used for each area.
While the comparison is not exactly accurate, you can think of ISO 27001 as an equivalent to CMMC and ISO 27002 as the equivalent of NIST SP 800-171. The difference is that while the NIST publication outlines the control families, ISO 27002 outlines best practices within those families; the solution to the problem, not just the problem.
Digging deeper, then, ISO 27017 is a cloud-specific compliance framework meant to further define and guide the implementation of security according to ISO 27002 and ISO 27001 requirements.
As of right now, ISO 27017 only has one version, which is the version published in 2015. The ISO/IEC has been working on an updated version and expects to have one published sometime later this year.
For now, if you want to read the relevant documents:
- ISO/IEC 27017:2015 Edition 1, published in 2015 and last reviewed in 2024.
- ISO/IEC DIS 27017, the Draft International Standard for the 2025 iteration of ISO 27017.
Note that the full version costs around $195 for a copy, and the discussion version costs $82. This is perhaps the one downside of ISO standards; they cost money simply to see the documentation.
What Does ISO 27017 Do?
ISO 27017 provides a guide for the implementation of best-practice security for cloud infrastructure. It’s aimed at two groups of people: the cloud service providers and the customers of those providers. It serves as a common ground, showcasing side-by-side what providers are (or should be) doing to protect data and what customers can do to stay within that system and avoid introducing further risks.
To use their own words:
“…this Recommendation/International Standard provides guidance supporting the implementation of information security controls for cloud service customers and cloud service providers. Some guidance are for customers who implement the controls and others are for CSPs to support the implementation of those controls.”
Anyone who is using ISO 27001 or ISO 27002 can use ISO 27017 as a supplementary guide to help make sure implementation is as effective as possible.
Who Should Use ISO 27017?
There are two answers to this question.
The first is that because ISO 27017 is not itself a regulatory framework, no one actually needs to use it.
The second is that, as mentioned above, anyone who is either a cloud service provider or a cloud service customer who has implementation concerns can use ISO 27017 as a guide for security. As a well-regarded international standard, 27017 is well-made and effective.
Is ISO 27017 Relevant Today?
We mentioned above that ISO 27017 is from 2015. A decade is a very long time in internet years, and the face of cloud technology has changed significantly in that time. Is ISO 27017 valid ten years after its publication?
There are two ways to assuage these fears.
The first is that, again, as we mentioned above, a new version is due to be published later this year. Wait a few months, and you’ll have a nice, fresh, new iteration of the ISO 27017 document to use as your new baseline.
The second is how ISO standards are formed. Where NIST standards outline specifics, ISO standards tend to outline concepts. They won’t tell you to use a specific encryption algorithm; they’ll tell you to use encryption of at least a given strength.
A third detail is that many – not all, but many – of the security standards in ISO 27017 are just “Control X and associated implementation guidance specified in ISO 27002 apply.” They reference other documents that are kept more updated than 27017 itself.
ISO 27017 Instructions for Cloud Service Providers
ISO 27017 provides guidance for both cloud service providers and cloud service customers, but we’re looking primarily at the instructions it gives to providers today. Let’s go through them one by one.
The remainder of this post will be a rundown of each security control from ISO 27001 that has specific guidance for CSPs in ISO 27017. We’ll outline what the control is and what the guidance offered is for the CSP.
Policies for Information Security (Control 5.1.1)
The CSP should improve any existing information security policy to address the provisioning and use of the cloud service they provide.
ISO 27017 recommends covering the following information:
- Baseline information security requirements for the implementation of the service
- Risks from insiders
- Policies for multi-tenancy and customer isolation
- Staff access controls to customer assets
- Access control procedures, in general
- Customer communications during changes (change management)
- Security for virtualization
- Access and protection of customer data
- Lifecycle management of customer accounts
- Breach communication and information sharing guidelines for investigations
This, like everything in ISO 27017, is an add-on to ISO 27002 specific to cloud service providers.
Information Security Roles and Responsibilities (Control 6.1.1)
The cloud service provider should agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers, and its suppliers.
ISO 27017 also goes on to specify that the cloud service customer is responsible for the decision to use the cloud service, but that the provider is accountable to the security they state they provide as part of their service agreement. These lines in the sand help eliminate finger-pointing over responsibility in the event of a breach or compromise.
It also states that the responsibility and ownership of various assets fall to the people controlling those assets. The provider is responsible for data except for its loss during the actions of the customer; if a customer deletes data, the provider is not beholden to have kept a backup for them unless otherwise stated that they will.
The cloud service provider should inform the customer of the geographical locations of the provider’s organization, as well as the countries where the provider stores customer data.
In other words, the customer needs to know where their data is processed and stored, as well as where the cloud company is located. A customer in the USA using a service from a company based in Germany that hosts their servers in Switzerland needs to be aware of these geographic disparities. This is relevant in cases of law enforcement action or investigations; the laws governing the servers and the company can differ from those governing the customer.
Information Security Awareness, Education and Training (Control 7.2.2)
The cloud service provider should provide awareness, education, and training to employees and contractors with regard to the handling of customer data and service-derived data. Since cloud service customer data can be confidential or subject to regulatory control, anyone who potentially handles or has access to it needs to know how to deal with it appropriately.
This has a significant overlap with the training requirements found in many information security frameworks like CMMC. Since people are the biggest gap in any digital security, it’s critical that they be trained and aware of their responsibilities.
Inventory of Assets (Control 8.1.1)
The cloud service provider’s inventory of assets should explicitly identify cloud service customer data and cloud service derived data.
Because these kinds of data are considered assets of different classes for the purposes of other security controls, they need to be explicitly identified.
Labeling of Information (Control 8.2.2)
The cloud service provider should document and disclose any service function it provides that could allow customers to classify and label their information and assets.
This allows a customer to be able to label confidential, controlled, classified, or other forms of data for appropriate control.
User Registration and Deregistration (Control 9.2.1)
The cloud service provider should provide functionality to add and remove users registered to customer accounts for the use of the cloud service’s function.
In other words, cloud service providers should have the option for a customer to have user accounts that can be controlled granularly rather than having multiple users share one account and password.
User Access Provisioning (Control 9.2.2)
The cloud service provider should provide functions for managing customer user access rights, along with documentation and specifications for using those functions.
For example, this might mean supporting, implementing, and documenting single sign-on functionality.
Management of Privileged Access Rights (Control 9.2.3)
The cloud service provider should provide authentication techniques for authenticating customer administrators to allow access to cloud service admin tasks.
This particular control is phrased somewhat oddly, but it mostly boils down to making sure customer admins can both access provider services and be secure in doing so through the use of security techniques like multi-factor authentication. It does allow the provider to make use of third-party authentication techniques rather than managing their own, at least.
Management of Secret Authentication Information of Users (Control 9.2.4)
The provider should provide information on how secret authentication information is managed, including how information is allocated.
This is on top of the guidelines outlined in ISO 27002, which is why it feels isolated when reading it on its own.
Information Access Restriction (Control 9.4.1)
The CSP should provide access controls to allow the customer to restrict access to services, functions, and data.
Use of Privileged Utility Programs (Control 9.4.4)
“Utility programs” are third-party tools customer admins could use to handle cloud service data.
The CSP should outline requirements for any utility program a customer can use and that any utility program that could bypass normal authentication processes is itself locked down.
Policy on the Use of Cryptographic Controls (Control 10.1.1)
The CSP should be using encryption and provide information to its customers about when it uses that encryption.
Likewise, the CSP should give the customer information about any functions granted to the customer to use their own encryption.
Secure Disposal or Reuse of Equipment (Control 11.2.7)
If any equipment that could have handled or held data (such as memory, hard drives, files, servers, or other equipment) is to be disposed of or reused, the CSP should ensure that arrangements are made for the secure disposal or reuse of that equipment in a timely manner.
No “storage locker full of decommissioned hardware that hasn’t been cleaned” here.
Change Management (Control 12.1.2)
The CSP should provide their customers with information on changes to the service that could disrupt the customer’s use of the service. This needs to include the category of change, the time of the change, technical descriptions of the changes, and notifications of the start and completion of those changes.
This also includes changes that the CSP’s infrastructure provider might be implementing, trickled down to customers. For example, a CSP operating off Amazon AWS should inform their customers of AWS changes and downtime, as well as their own.
Capacity Management (Control 12.1.3)
The CSP should monitor resource capacity to avoid incidents caused by resource shortages.
In other words, the provider should have an awareness of customer use and be able to cut them off if they’re effectively DDoSing the service.
Information Backup (Control 12.3.1)
The cloud service provider should provide the customer with information about its backup policies.
This should include:
- Scope and schedule of backups
- Methods, formats, and encryption of the backup data
- Retention periods
- Procedures for data integrity verification
- Procedures and timescales for restoring from backup
- Backup testing procedures
- Storage location of backups
And, if the CSP offers backup functionality to customers via their service, secure and segregated access should be provided to customers.
Event Logging (Control 12.4.1)
The CSP should provide logging capabilities. Pretty straightforward.
Clock Synchronization (Control 12.4.4)
A technical one here most people won’t need to care about, the CSP should provide information on the clock service they use and how to sync it if necessary.
Management of Technical Vulnerabilities (Control 12.6.1)
The CSP should give the customer information on the management of vulnerabilities that could affect the service so the customer can use it as part of their own risk management.
Segregation in Networks (Control 13.1.3)
The CSP should enforce network access segregation between tenants in a multi-tenant environment and between internal administrators versus customer environments.
If necessary, the CSP should help the customer verify this segregation exists.
Information Security Requirements Analysis and Specification (Control 14.1.1)
The CSP needs to provide the customer with information about the information security capabilities they use, but that information does not need to be specific enough to be harmful if disclosed to a bad actor, and it should be limited in disclosure to just what relates to what customers need to know, or to those who have an NDA in place.
Secure Development Policy (Control 14.2.1)
The CSP should provide information about its own secure development procedures as necessary for its disclosure policy.
Addressing Security Within Supplier Agreements (Control 15.1.2)
The CSP should specify, as part of an agreement, relevant security measures they implement to avoid misunderstanding between providers and customers.
These can vary based on the type of cloud service being provided.
Information and Communication Technology Supply Chain (Control 15.1.3)
If a CSP uses the services of a peer CSP, they should ensure security with the peer is equivalent to or better than what they offer their customers.
The CSP should provide suppliers with security level requirements and ensure the supplier provides that level of security at a minimum.
Responsibilities and Procedures (Control 16.1.1)
The CSP should define the allocation of incident management responsibilities between the customer and the CSP itself.
Documentation should be provided to the customer covering the scope of security incidents that will be reported, the disclosure level of detection, the timeframe for disclosure, the procedure for notifications, contact information for handling issues, and remedies if information incidents occur.
Reporting Guidance for Cloud Services (Control 16.1.2)
The CSP should have mechanisms for the customer to report security events to the provider, the provider to report to the customer, and for tracking reported events.
Collection of Evidence (Control 16.1.7)
The customer and provider should agree on procedures to respond to requests for evidence in the event of an incident.
Identification of Applicable Legislation and Contractual Requirements (Control 18.1.1)
The CSP should inform customers of legal jurisdictions governing the service, as well as their own legal protections for the information of the customer, and evidence of compliance with applicable legislation and contractual requirements.
Intellectual Property Rights (Control 18.1.2)
The CSP should have a process for responding to IP rights complaints.
Protection of Records (Control 18.1.3)
The CSP should provide customers with information about record protection for records gathered and stored by the provider.
Regulation of Cryptographic Controls (Control 18.1.5)
The CSP should provide descriptions of cryptographic controls implemented for customers for compliance with laws and agreements.
Independent Review of Information Security (Control 18.2.1)
The CSP should provide documented evidence for the implementation of security controls to third-party auditors when asked.
Dan Page is a seasoned Cybersecurity and Risk Management Executive known for advancing security programs aligned with complex regulatory frameworks and critical business objectives. With over 12 years in information security, his expertise began in the U.S. Army Signal Corps, where he led global communications and secured classified networks supporting Special Operations missions. Post-military, he specializes in security architecture for CUI, ITAR data, and federal cloud workloads. Currently, as Senior Cybersecurity Manager at Ignyte Assurance Platform, Dan guides organizations through compliance with CMMC, FedRAMP, ISO 27001, PCI, and NIST standards. A CISSP, CRISC, CISM, PMP, and ITIL-certified professional, he is also a cybersecurity lecturer and community volunteer advocating workforce development.