Security Controls for Cloud Services

ISO 27017

ISO 27017:2015 is the International Standard for Security Control for Cloud Services.

ISO 27017: Security Controls for Cloud Services

What is ISO 27017?

ISO/IEC 27017:2015 is a security control for cloud services and is an extension to ISO/IEC 27001 and ISO/IEC 27002. The standard advises on both the cloud service customers and cloud service providers. ISO 27017 is designed to help you and your organizations when selecting security controls for cloud services when implementing a cloud computing information security management system.

As an extension to ISO 27002, ISO 27017 provides the guidance on 37 controls from ISO 27002 but also features seven new controls addressing the following:

  • Removal and return of cloud service customer assets when a contract has been terminated

  • The alignment of security management for both virtual and physical networks

  • Protection and separation of a customer’s virtual environment

  • The shared roles and responsibilities between the cloud service providers and customers

  • Administrative operations procedures of a cloud computing environment

  • Allowing cloud service customers to be able to monitor relevant activities within the cloud

  • Virtual machine configuration requirements to meet business needs



We will only use your details for this request, they will not be used for any marketing. Read our privacy policy for more information.

We won't pass your details on to third parties.

Benefits of ISO 27017 Certification

Supporting data privacy compliance

Allowing organizations to use the standard to encompass privacy laws, regulations and requirements.

Improved risk management

Identify potential incidents and implement controls and measures to keep risk as low as possible, protecting employees and customers from harm.

Improving customer trust

By reducing the risk of data breaches and other risks, this will increase stakeholders trust.

Commitment to security

Demonstrate commitment to information security to customers, suppliers and other interested parties.

Save time and win bids

Certification to ISO 27017 will make it easier to respond to security questionnaires, demonstrate compliance and assure individuals their data is protected. This standard can provide extra assurance to potential customers which may enable you to win more bids.

Proven business credentials

Independent verification against a globally recognized industry standard speaks volumes.

Why implement ISO 27017?

Making clients feel safe about their data being stored in the cloud is vital. Having ISO/IEC 27017 standard allows an internationally standardised framework that can help reduce the risk of data breaches and build customer trust by showing your commitment to information security. The standard also gives guidance to cloud service customers on what they should want from their cloud service hosts.

The standard covers a range of topics such as asset ownership, removal and return of assets when a customer contract has been terminated, protection and separation of a customer’s virtual environment and more. With a growing risk of cloud data breaches now more than ever is important to know you and your organisation are doing the most to try and reduce these risks as a cloud service provider and/or a cloud service customer.

As ISO 27017 is built from the foundations of ISO 27001 and ISO 27002 framework, the certification shows compliance internationally and helps your organisation for both the cloud service providers and cloud service customers against risks within the cloud.

How NQA can help you

With a wealth of experience providing accredited management systems certifications, NQA is ideally placed to partner with you to meet stakeholder requirements and exceed industry expectations.

Technical committees and industry relationships. NQA is highly involved in a wide variety of industry committees and standards writing teams, helping us to maintain a keen awareness of changes within the industry.

Knowledge transfer supporting our customer’s organizational strategy. NQA is committed to ensuring customer awareness regarding changes in industry strategy, regulations, and standard requirements that may impact your management system approach. 

If you are interested in understanding how NQA can assist you in gaining certification against ISO 27017 please contact our sales team.

Steps to Certification

  1. Step 1

    Complete a Quote Request Form so that we can understand your company and requirements. You can do this by completing either the online quick quote or the online formal quote request form. We will use this information to accurately define your scope of assessment and provide you with a proposal for certification.

  2. Step 2

    Once you’ve agreed your proposal, we will contact you to book your assessment with an NQA Assessor. This assessment consists of two mandatory visits that form the Initial Certification Audit. Please note that you must be able to demonstrate that your management system has been fully operational for a minimum of three months and has been subject to a management review and full cycle of internal audits.

  3. Step 3

    Following a successful two stage audit, a certification decision is made and if positive, then certification to the required standard is issued by NQA. You will receive both a hard and soft copy of the certificate. Certification is valid for three years and is maintained through a programme of annual surveillance audits and a three yearly recertification audit.

See more details

Information Security Toolkit

ISO 27001 FAQs

ISO 27001 Implementation Guide

ISO 27701 Implementation Guide

Risk Assurance Brochure

Integrated Quote Request Form

Information Security Management Training

Measuring Operational Resilience Method

ISO 27001 in relation to GDPR video

ISO 9001 to ISO 27001 Gap Guide

Annex SL Comparison Tool

Gap Analysis

CityFibre Case Study

Is Your Management System Integrated?

Need a Consultant?

Download Certification Logos