ISO 27017 - Code of practice for cloud services

    Standards and Frameworks

    ISO 27017 - Code of practice for cloud services

    ISO/IEC 27017:2015

    The International Standard 27017 (ISO 27017) is a guideline for code of practice for information security controls based on ISO 27002 for cloud services. This standard is intended to assist organizations whose business model is fully or partly dependent on cloud services.  

    Last Updated: July 30, 2019

  • General

    ISO 27017 provides further guidelines on implementation of information security controls under ISO 27002 for organizations using or offering cloud services. This standard recognizes the potential of additional and unpredictable security risks which may arise in cloud services and provides recommendations accordingly.

    This ISO provides guidelines on responsibilities of parties who are involved in the cloud service, especially in supplier, or customer and service provider context.  It provides guidelines on conducting risk assessment and implementing controls for both service providers and customers.

    Further, ISO 27017 provides industry and department specific guidance on implementation of security controls in cloud services in the following context:

    • Human resource security;
    • Asset management;
    • Access control;
    • Cryptography controls;
    • Physical and environmental security;
    • Operations security;
    • Communications security;
    • System acquisition, development and maintenance;
    • Supplier relationships;
    • Information security incident management;
    • Information security aspects of business continuity management; and
    • Compliance.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.