Skip to content

discovered, explained

ISO 27017

Secure cloud computing in accordance with ISO 27017

The international standard ISO 27017 contains specific requirements for the information security of cloud services. It provides providers and users of cloud-based services with efficient guidelines for implementing effective information security controls.

What is ISO 27017?

ISO/IEC 27017 is an international standard that provides guidelines for information security controls specifically tailored to the provision and use of cloud services.

As an extension of the ISO/IEC 27002 standard, ISO 27017 provides additional controls and implementation guidance to address cloud-specific information security risks. The standard supports both cloud service providers and customers in ensuring a secure cloud computing environment.

Special features of ISO 27017

  • Provides a framework for implementing robust security measures specifically tailored to cloud services
  • Addresses cloud-specific security issues and provides additional controls not covered in ISO 27001
  • Contains best practices for cloud security and provides a structured approach to identifying, assessing and managing information security risks
  • Helps organisations comply with legal and regulatory requirements around data protection and privacy, reducing the risk of non-compliance penalties

We will support you – no matter what

Get started at last!

We advise you


TÜV NORD IT Secure Communication I Berlin
Goal achieved?

We check that


TÜV Informationstechnik I Essen

Frequently Asked Questions (FAQ)

What you need to know about ISO 27017

The requirements of ISO 27017 are specifically tailored to cloud service providers. For each area of the overarching ISO 27001 standard for information security, possible special features of cloud security are outlined. This methodology allows you to identify these security requirements more quickly and integrate them into your security management system.

ISO 27017 is based on the well-known standard for information security management systems ISO 27001 and supplements it with security aspects for cloud computing. Certification to ISO 27001 is therefore also a prerequisite for an extension to ISO 27017.

  • 1. scope of application
  • 2 Normative references
  • 3 Terms and abbreviations
  • 4 Concepts specific to the cloud sector
  • 5 Information security guidelines
  • 6 Organisation of information security
  • 7. personnel security
  • 8. management of assets
  • 9. access control
  • 10. cryptography
  • 11. physical & environmental security
  • 12. operational security
  • 13. communication security
  • 14. acquisition, development & maintenance of systems
  • 15. supplier relationships
  • 16. handling of information security incidents
  • 17. information security aspects of business continuity management
  • 18. compliance
  • Appendix A: Extension set of measures for cloud services
  • Appendix B: References to information security risk in the context of cloud computing

As every company has different requirements and the requirements for a management system vary, the question of the cost of ISO 27017 certification cannot be answered in general terms.

In principle, the number of days required for the two certification audits is decisive. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.

We would be happy to provide you with a customised quote.

Cloud service providers (CSPs): Cloud service providers can obtain certification to demonstrate that they have implemented the recommended security practices for cloud services. This helps them to strengthen the trust of their customers and differentiate themselves in the market.

Organisations that use cloud services: Organisations that use cloud services can also become certified to ensure that their use of cloud services complies with security requirements and to validate their own security practices.

The ISO 27017 certificate is valid for a maximum of 3 years.

A surveillance audit must be carried out in the first and second year after successful certification. After 3 years, a recertification audit is carried out to check whether the requirements for renewing the certificate are still met.

As ISO 27017 is an extension of ISO 27001 on the subject of the cloud, it can only be certified together with ISO 27001.

The necessary prerequisite for ISO 27017 certification is therefore an existing ISMS that fulfils the requirements of ISO 27001 or is already certified in accordance with it.

Do you already have an ISO 27001 certificate?

In this case, your existing ISMS will be audited separately in accordance with ISO 27017. The resulting certificate then corresponds to the term of your ISO 27001 certificate.

Is your ISO 27001 certificate expiring?

In this case, it makes sense to synchronise the audits for ISO 27001 and ISO 27017.

Are you aiming for joint certification to ISO 27001 & ISO 27017?

If you start with ISO 27001 and ISO 27017 at the same time, the audits for the two standards will be synchronised.