Topic-specific policies
ISO/IEC 27017

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27017:2015 / ITU-T X.1631 < Click to purchase via Amazon — Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services



“This Technical Specification / International Standard is to define guidelines supporting the implementation of Information Security Management for the use of cloud service. The adoption of this Technical Specification/ International Standard allows cloud consumers and providers to meet baseline information security management with the selection of appropriate controls and implementation guidance based on risk assessment for the use of cloud service.”
[Source: SC27 Standing Document 11 (2021)]


This standard provides guidance on the information security aspects of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO/IEC 27002 and other ISO27k standards.


Scope and purpose

The code of practice provides additional information security controls implementation advice beyond that provided in ISO/IEC 27002, in the cloud computing context.

The standard advises both cloud service customers and cloud service providers, with the primary guidance laid out side-by-side in each section. For instance, section 6.1.1 on information security roles and responsibilities says, in addition to section 6.1.1 of ISO/IEC 27002:2013:


Cloud service customer


Cloud service provider


The cloud service customer should agree with the cloud service provider on an appropriate allocation of information security roles and responsibilities, and confirm that it can fulfil its allocated roles and responsibilities. The information security roles and responsibilities of both parties should be stated in an agreement. The cloud service customer should identify and manage its relationship with the customer support and care function of the cloud service provider.

The cloud service provider should agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers, and its suppliers.



    Other information for cloud computing

    Even when responsibilities are determined within and between the parties, the cloud service customer is accountable for the decision to use the service. That decision should be made according to the roles and responsibilities determined within the cloud service customer’s organization. The cloud service provider is accountable for the information security stated as part of the cloud service agreement. The information security implementation and provisioning ... [read the standard for the full text!]


Normative standards

The standard cites ISO/IEC 27000 and 27002, of course, plus ISO/IEC 17788 (Cloud computing - Overview and vocabulary) and ISO/IEC 17789 (Cloud computing - Reference architecture). Curiously, although ISO/IEC 27001 is noted in the bibliography, it is not considered ‘normative’ i.e. essential reading: although unusual, it is possible to make use of the controls recommended by ISO/IEC 27002 without also having an ISMS.


Status of the standard

The standard was developed jointly by ISO/IEC and ITU and hence is dual-numbered as both ISO/IEC 27017 and ITU-T X.1631 with identical content.

The first edition was published at the end of 2015.

Nov update Work has begun on a second edition. It will be updated to “capture a full set of guidance for information security controls applicable to cloud services, both from the 3rd edition of ISO/IEC 27002 and any additional controls specific related specifically to cloud services.” SC27 and ITU-T are collaborating on this.


Personal comments

The standards project had widespread support from ISO/IEC JTC 1/SC 27, ITU-T Q8/SG17, national standards bodies plus the Cloud Security Alliance among others.

As an ambitious first edition of about 40 pages, it may not be brilliant but it was a useful starting point in this rapidly-developing field.

This standard closed a gap in ISO/IEC 27002:2015 section 15 which somehow contrived to cover the information security aspects of supplier relationships without actually mentioning ‘cloud’!

As a sector-specific standard, it falls within the remit of ISO/IEC 27009.

SC 27 decided not to progress a separate cloud information security management system specification standard, judging that ISO/IEC 27001 is sufficient. Therefore, there are no plans to certify the security of cloud service providers specifically. They can however be certified compliant with ISO/IEC 27001, like any other organization.

SC 27’s development of dedicated cloud privacy and cloud service supplier management standards in parallel implies that this standard should have excluded both aspects, referring to those standards instead ... which indeed happened for privacy but not for relationship management. Odd that.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.