ISO 270017 min read

ISO 27017 and ISO 27018: Cloud Security Standards

ISO 27017 and ISO 27018 extend ISO 27001 with specific guidance for cloud computing environments. Understanding these standards helps cloud service providers and their customers address cloud-specific security and privacy requirements.

Key Takeaways

Point Summary
ISO 27017 Cloud security controls for both providers and customers
ISO 27018 Protection of personally identifiable information (PII) in public clouds
Prerequisite Both require ISO 27001 certification as a foundation
Who needs them Cloud service providers (primarily); cloud customers (selectively)
Combined value Demonstrates mature cloud security and privacy practices

Quick Answer: ISO 27017 provides cloud-specific security guidance, while ISO 27018 focuses on protecting personal data in the cloud. Both build on ISO 27001—you need the foundation certification first. These extensions are particularly valuable for cloud service providers and organizations processing sensitive personal data in cloud environments.

Understanding the ISO 27000 Cloud Standards

ISO 27017: Cloud Security

ISO 27017 provides guidelines for information security controls applicable to cloud services. It extends the ISO 27002 control guidance with cloud-specific considerations for both:

  • Cloud service providers (CSPs) offering services
  • Cloud service customers using those services

The standard recognizes that cloud computing introduces unique security considerations that go beyond traditional IT environments.

ISO 27018: Cloud Privacy

ISO 27018 establishes a code of practice for protection of personally identifiable information (PII) in public cloud environments. It focuses specifically on PII processors—organizations that handle personal data on behalf of others.

This standard helps cloud providers demonstrate they handle personal data responsibly, supporting their customers' privacy compliance obligations.

When Do You Need These Standards?

You May Benefit from ISO 27017 If:

Scenario Why ISO 27017 Helps
You're a cloud service provider Demonstrates cloud-specific security maturity
Enterprise customers require it Some procurement processes specify ISO 27017
Multi-tenant environments Addresses shared responsibility considerations
Regulated industries using cloud Shows due diligence in cloud security

You May Benefit from ISO 27018 If:

Scenario Why ISO 27018 Helps
Processing personal data in cloud Demonstrates PII protection commitment
GDPR compliance requirements Supports data processor obligations
Healthcare or financial services Industries with heightened privacy expectations
Customer data processing Reassures customers about their data

You Probably Don't Need These (Yet) If:

  • You're just starting your compliance journey—focus on ISO 27001 first
  • You're primarily a cloud customer (not provider) with limited cloud-specific risks
  • Your customers haven't requested these specific certifications

ISO 27017: Cloud Security in Detail

Structure and Approach

ISO 27017 follows the structure of ISO 27002 (the implementation guidance for ISO 27001), adding cloud-specific implementation guidance and seven new controls unique to cloud environments.

Key characteristics:

  • Extends all ISO 27002 controls with cloud context
  • Provides guidance for both cloud providers and cloud customers
  • Introduces controls specifically for cloud environments
  • Addresses the shared responsibility model

Cloud-Specific Controls in ISO 27017

Control Area Purpose
Shared roles and responsibilities Clear delineation between provider and customer duties
Asset removal on termination Proper handling when cloud services end
Segregation in virtual environments Multi-tenant security considerations
Virtual machine hardening Cloud-specific configuration requirements
Administrator operational security Controls for cloud administration
Customer monitoring of cloud activity Visibility into cloud operations
Virtual and cloud network security Cloud networking considerations

Shared Responsibility Model

A core concept in ISO 27017 is the shared responsibility model:

Responsibility Cloud Provider Cloud Customer
Physical infrastructure
Hypervisor/platform
Network infrastructure Shared
Application security
Data protection Shared
Identity management Shared
Compliance Shared Shared

The standard helps both parties understand and document their respective responsibilities.

ISO 27018: Cloud Privacy in Detail

Structure and Approach

ISO 27018 builds on ISO 27001 with additional requirements and guidance specifically for protecting PII in cloud environments. It's designed for PII processors—organizations that process personal data on behalf of data controllers.

Key characteristics:

  • Focuses exclusively on personally identifiable information
  • Applies to public cloud PII processors
  • Aligns with common privacy regulations (GDPR, etc.)
  • Establishes expectations for transparency and accountability

Privacy Principles in ISO 27018

Principle Requirement
Consent and choice Support data controller's consent requirements
Purpose limitation Process PII only for specified purposes
Data minimization Limit PII processing to what's necessary
Use and disclosure Restrict how PII is used and shared
Retention limitation Delete or return PII when no longer needed
Transparency Clear information about processing practices
Individual participation Support data subject rights
Accountability Demonstrable compliance with principles

Key ISO 27018 Controls

Control Area Purpose
PII return and disposal Proper handling at contract termination
Sub-processor disclosure Transparency about who processes data
Breach notification Timely notification of security incidents
Disclosure requests Handling legal/government data requests
PII location Disclosure of where data is processed
Cross-border transfers Controls for international data flows

Relationship Between Standards

The Foundation: ISO 27001

Both ISO 27017 and ISO 27018 require ISO 27001 certification as a prerequisite. They don't replace ISO 27001—they extend it:

ISO 27001 (Foundation ISMS)
    ├── ISO 27017 (Cloud Security Extension)
    └── ISO 27018 (Cloud Privacy Extension)

How They Complement Each Other

Standard Focus Audience
ISO 27001 Comprehensive ISMS All organizations
ISO 27017 Cloud-specific security Cloud providers and customers
ISO 27018 PII in cloud environments PII processors (primarily providers)

An organization might pursue:

  • ISO 27001 only (most common for cloud customers)
  • ISO 27001 + ISO 27017 (cloud providers focused on security)
  • ISO 27001 + ISO 27018 (organizations processing personal data)
  • ISO 27001 + ISO 27017 + ISO 27018 (comprehensive cloud security and privacy)

Certification Considerations

Certification Process

Certification to ISO 27017 and/or ISO 27018 typically occurs:

  • As an extension to an existing ISO 27001 audit
  • Through the same certification body
  • With additional audit days to cover the extension requirements

Timeline and Investment

Scenario Additional Timeline Additional Investment
Adding ISO 27017 to ISO 27001 2-4 weeks Moderate
Adding ISO 27018 to ISO 27001 2-4 weeks Moderate
Adding both extensions 4-6 weeks Significant
All three together (initial) Included in overall project Efficient combined approach

Maintenance

Like ISO 27001, the extensions follow a three-year certification cycle with annual surveillance audits. The surveillance audits cover the extension requirements alongside core ISO 27001 requirements.

Major Cloud Provider Certifications

For context, major cloud providers typically hold these certifications:

Provider ISO 27001 ISO 27017 ISO 27018
AWS
Microsoft Azure
Google Cloud

This means cloud customers can often inherit aspects of these certifications through the shared responsibility model, focusing their own certification efforts on the areas they control.

Common Questions

Do I need ISO 27017/27018 if my cloud provider has them?

Your cloud provider's certifications cover their responsibilities—not yours. If you're processing data in the cloud, you're still responsible for your portion of the shared responsibility model. However, you may be able to leverage your provider's certifications to reduce your audit scope.

Can I get ISO 27017 or 27018 without ISO 27001?

No. Both standards are designed as extensions to ISO 27001. You need the foundation certification first.

Should I pursue ISO 27018 or GDPR compliance?

They're complementary, not alternatives. ISO 27018 demonstrates good practices for PII protection, which supports GDPR compliance. However, ISO 27018 certification doesn't automatically mean GDPR compliance—GDPR has additional requirements.

Are these standards relevant for private cloud?

ISO 27017 applies to private cloud environments. ISO 27018 specifically addresses public cloud, though its principles can inform private cloud privacy practices.

Making the Decision

Start with ISO 27001

For most organizations, the priority sequence is:

  1. ISO 27001 — Foundation certification
  2. Consider extensions — Based on customer requirements and business context

Consider Extensions When:

  • Customers specifically request ISO 27017 or ISO 27018
  • You're a cloud service provider seeking differentiation
  • You process significant volumes of personal data in the cloud
  • Regulated industries require additional assurance

Practical Approach

If you anticipate needing the extensions:

  • Consider pursuing all certifications together (more efficient)
  • Structure your ISMS to accommodate cloud-specific requirements from the start
  • Work with a partner experienced in cloud security certifications

Interested in understanding which certifications make sense for your cloud environment? Talk to our team

Sources

← PreviousISO 27001 vs NIST CSF: Framework ComparisonNext →ISO 27701: Privacy Information Management System (PIMS)
Back to ISO 27001 guides