ISO/IEC 27017:2015 - Cloud Security

ISO/IEC 27017:2015 provides cloud-specific information security controls that extend an existing ISO/IEC 27001 Information Security Management System. We support organizations with ISO 27017 gap assessments, implementation, internal audits, and certification readiness for cloud environments.

What is ISO/IEC 27017:2015?

ISO/IEC 27017:2015 is an international standard that provides additional information security controls and guidance for cloud service providers and cloud service customers. It builds on ISO/IEC 27001 by addressing risks specific to cloud computing, including shared responsibility models, virtualisation, and cloud asset management.

ISO 27017 is typically implemented alongside ISO 27001 and applies to organization’s offering, using, or migrating services to cloud environments where data security, segregation, and transparency are critical.

A computer circuit board with a glowing cloud icon in the center, representing cloud computing technology.

Why Choose Seratos for ISO/IEC 27017?

  • 01. Cloud Security Experience Across Complex Environments

    We support cloud service providers and organizations using cloud platforms across software, telecommunications, and regulated environments, aligning cloud security controls with real operational and contractual models.

  • 02. Risk-Based, Integrated Implementation

    ISO 27017 is most effective when integrated into an existing ISO 27001 program. We take a structured, risk-based approach to extending existing ISMS controls to address cloud-specific risks without duplicating effort.

  • 03. Independent, Audit-Ready Support

    As independent consultants, we support implementation, internal audits, and audit readiness to help organisations prepare for external certification audits conducted by accredited bodies.

Work With Us

Our Comprehensive ISO/IEC 27017 Services

Looking up at tall modern skyscrapers with glass facades in an urban cityscape, with a cloudy sky overhead.

  • Assessment of existing ISO 27001 controls against ISO 27017 requirements to identify gaps related to cloud security, shared responsibility, and virtualised environments.

  • Structured identification and evaluation of cloud-specific operational and security risks, tailored to your cloud architecture, services, and business priorities.

  • Support implementing ISO 27017 controls related to tenant separation, virtual machine hardening, asset management, logging, monitoring, and responsibility allocation.

  • Assistance in defining, documenting, and communicating information security responsibilities between cloud service providers and customers.

  • Development and refinement of policies, procedures, and records required to support ISO 27017 controls and audit evidence.

  • Independent internal audits and readiness assessments to prepare for certification or surveillance audits.

  • Support integrating ISO 27017 with ISO 27001, SOC 2, or NIST CSF to create a unified, maintainable cloud security framework.

Work With Us
Work With Us

Supported Standards & Frameworks

  • ISO logo with a blue globe behind the large blue letters 'ISO' and the number '27001' below, indicating certification for the International Organization for Standardization.
  • The logo of the International Organization for Standardization (ISO), featuring a globe design, with the text 'ISO' in large letters, encircled by the organization's full name, and the number 42001 at the bottom.
  • ISO logo with the number 9001, a globe behind the text, and a circular border of text that reads 'International Organization for Standardization'.
  • Logo of the International Organization for Standardization (ISO), featuring a blue globe with latitude and longitude lines, the large text 'ISO', and the number '13485' below.
  • Logo of the International Organization for Standardization, featuring a globe and the text 'ISO' with the number '22301' below.
  • A badge with a blue shield shape that features the NIST logo, the full name 'National Institutes of Standards and Technology,' and the abbreviation 'CSF'.
  • Shield-shaped badge with the logo of the National Institutes of Standards and Technology (NIST), including the text "SP 800-171".
  • Badge with a blue shield and circuit design, surrounded by stars, displaying 'Certification' and 'Cybersecurity Maturity Model' in a circular border.
View All Our Supported Standards

Frequently Asked Questions

  • We offer a range of solutions designed to meet your needs—whether you're just getting started or scaling something bigger. Everything is tailored to help you move forward with clarity and confidence.

  • ISO/IEC 27017 builds on ISO/IEC 27001 by introducing additional controls and guidance specific to cloud computing. It is typically implemented as an extension of an existing ISO 27001 Information Security Management System (ISMS).

  • Yes. ISO/IEC 27017 is designed to be implemented alongside ISO/IEC 27001 and relies on an established ISMS framework. Organizations without ISO 27001 in place typically need to implement or align with ISO 27001 first.

  • ISO/IEC 27017 addresses risks related to cloud environments, including shared responsibility models, tenant separation, virtual machine hardening, cloud asset management, monitoring and logging, and data handling at contract termination.

  • No. Seratos does not issue certifications or act as a certification body. We provide independent consulting support, including gap assessments, implementation, internal audits, and certification readiness for audits conducted by accredited certification bodies.

  • Yes. ISO/IEC 27017 is commonly integrated with ISO/IEC 27001 and may also align with SOC 2 or NIST CSF requirements. Seratos supports integrated approaches to reduce duplication and create a unified cloud security program.