ISO 27017
Information Security Controls for Cloud Services
Secure your cloud environment with purpose-built controls for cloud service providers and cloud customers — extending your ISO 27001 ISMS into the cloud with confidence.
Overview
ISO/IEC 27017 is a code of practice that provides guidelines for information security controls applicable to the provision and use of cloud services. It builds on ISO 27001 and ISO 27002, adding cloud-specific guidance for both cloud service providers (CSPs) and cloud service customers (CSCs).
As Indonesian organizations increasingly migrate workloads to AWS, Azure, GCP, and local cloud providers, the shared responsibility model creates new security ambiguities. ISO 27017 clarifies what controls the cloud provider handles and what the customer must manage — reducing security gaps that attackers exploit. Tobias helps you implement ISO 27017 controls whether you are a cloud provider, a heavy cloud user, or both.
Key Benefits
Clarify Cloud Shared Responsibility
ISO 27017 explicitly defines security responsibilities between cloud providers and customers, eliminating dangerous assumption gaps in your cloud security posture.
Extend ISO 27001 into the Cloud
If you already have ISO 27001, ISO 27017 provides the cloud-specific controls needed to make your ISMS genuinely effective in cloud environments.
Meet Enterprise & Regulatory Cloud Security Requirements
Demonstrate to enterprise clients, OJK, and data protection authorities that your cloud operations meet internationally recognized security standards.
Reduce Cloud Security Incidents
Implement proven controls for cloud asset management, virtual network segmentation, privileged access management, and cloud monitoring to prevent breaches.
Key Requirements
1. Shared Roles & Responsibilities
Document the division of information security responsibilities between the cloud service provider and cloud customer for each service in scope.
2. Cloud Asset Management
Maintain an inventory of assets in the cloud, ensure removal of temporary cloud assets when no longer needed, and protect cloud service customer data.
3. Virtual Environment Security
Implement controls for virtual machine hardening, network segmentation in virtual environments, and isolation between different customers' environments.
4. Cloud Administration Security
Secure administrative access to cloud management planes, implement strong authentication for cloud portals, and monitor administrative activities.
5. Monitoring & Incident Response in the Cloud
Establish cloud-specific monitoring, logging, and incident response procedures that account for the distributed and elastic nature of cloud environments.
Industries That Benefit
Frequently Asked Questions
Do I need ISO 27001 before implementing ISO 27017?
ISO 27017 is designed as an extension to ISO 27001 — it references the ISO 27001 control framework and adds cloud-specific guidance. In practice, most organizations implement ISO 27017 alongside or after ISO 27001. It is possible to implement ISO 27017 controls independently, but you get the most value when it extends an existing ISMS.
Is ISO 27017 certifiable?
ISO 27017 itself is a code of practice (guidelines), not a certifiable standard with its own audit scheme. However, many certification bodies offer ISO 27001 certification that explicitly includes ISO 27017 controls as part of the Statement of Applicability — effectively giving you audited assurance against cloud security controls.
How does ISO 27017 relate to ISO 27018?
ISO 27017 covers cloud security controls broadly — for any type of cloud service. ISO 27018 specifically addresses the protection of Personally Identifiable Information (PII) in public cloud services. For organizations handling personal data in the cloud, implementing both together provides comprehensive coverage.