Back to Frameworks
ISO 27017:2015
International
v2015
17 domains
42 controls
Verified
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (17)
Clause 8 – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::8.1 | Responsibility for assets |
| iso-27017-2015::8.2 | Information classification |
Clause 9 – ISO 27017:2015
4 controls
| Code | Title |
|---|---|
| iso-27017-2015::9.1 | Business requirements of access control |
| iso-27017-2015::9.2 | User access management |
| iso-27017-2015::9.3 | User responsibilities |
| iso-27017-2015::9.4 | System and application access control |
Cloud sector-specific concepts – ISO 27017:2015
5 controls
| Code | Title |
|---|---|
| iso-27017-2015::4.1 | Overview |
| iso-27017-2015::4.2 | Supplier relationships in cloud services |
| iso-27017-2015::4.3 | Relationships between cloud service customers and cloud service providers |
| iso-27017-2015::4.4 | Managing information security risks in cloud services |
| iso-27017-2015::4.5 | Structure of this standard |
Communications security – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::13.1 | Network security management |
| iso-27017-2015::13.2 | Information transfer |
Compliance – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::18.1 | Compliance with legal and contractual requirements |
| iso-27017-2015::18.2 | Information security reviews |
Cryptography – ISO 27017:2015
1 controls
| Code | Title |
|---|---|
| iso-27017-2015::10.1 | Cryptographic controls |
Definitions and abbreviations – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::3.1 | Terms defined elsewhere |
| iso-27017-2015::3.2 | Abbreviations |
Human resource security – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::7.1 | Prior to employment |
| iso-27017-2015::7.2 | During employment |
Information security aspects of business continuity management – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::17.1 | Information security continuity |
| iso-27017-2015::17.2 | Redundancies |
Information security incident management – ISO 27017:2015
1 controls
| Code | Title |
|---|---|
| iso-27017-2015::16.1 | Management of information security incidents and improvements |
Information security policies – ISO 27017:2015
1 controls
| Code | Title |
|---|---|
| iso-27017-2015::5.1 | Management direction for information security |
Normative references – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::2.1 | Identical Recommendations | International Standards |
| iso-27017-2015::2.2 | Additional References |
Operations security – ISO 27017:2015
7 controls
| Code | Title |
|---|---|
| iso-27017-2015::12.1 | Operational procedures and responsibilities |
| iso-27017-2015::12.2 | Protection from malware |
| iso-27017-2015::12.3 | Backup |
| iso-27017-2015::12.4 | Logging and monitoring |
| iso-27017-2015::12.5 | Control of operational software |
| iso-27017-2015::12.6 | Technical vulnerability management |
| iso-27017-2015::12.7 | Information systems audit considerations |
Organization of information security – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::6.1 | Internal organization |
| iso-27017-2015::6.2 | Mobile devices and teleworking |
Physical and environmental security – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::11.1 | Secure areas |
| iso-27017-2015::11.2 | Equipment |
Supplier relationships – ISO 27017:2015
2 controls
| Code | Title |
|---|---|
| iso-27017-2015::15.1 | Information security in supplier relationships |
| iso-27017-2015::15.2 | Supplier service delivery management |
System acquisition, development and maintenance – ISO 27017:2015
3 controls
| Code | Title |
|---|---|
| iso-27017-2015::14.1 | Security requirements of information systems |
| iso-27017-2015::14.2 | Security in development and support processes |
| iso-27017-2015::14.3 | Test data |
Your Compliance Coverage
If you comply with ISO 27017:2015, you already cover:
ISO 27701:2019
71%
30 controls mapped
Compare →ISO 27018:2019
50%
21 controls mapped
Compare →ISO 27043
19%
8 controls mapped
Compare →+ 40 more: ISO/SAE 21434 (19%), ISO 27002:2022 (14%)
See all 43 mapped frameworks ↓Maps to 43 other frameworks
42 total controls
ISO 27701:2019
30 source controls mapped|30 target controls covered
71%
ISO 27018:2019
21 source controls mapped|23 target controls covered
50%
ISO 27043
8 source controls mapped|8 target controls covered
19%
ISO/SAE 21434
8 source controls mapped|8 target controls covered
19%
ISO 27002:2022
6 source controls mapped|7 target controls covered
14%
ISO/IEC 27010:2015
5 source controls mapped|5 target controls covered
12%
ISO 19011:2018
5 source controls mapped|7 target controls covered
12%
ISO 27018
3 source controls mapped|1 target controls covered
7%
ISO/IEC 27018:2019
3 source controls mapped|1 target controls covered
7%
ISO/IEC 29100:2024
3 source controls mapped|2 target controls covered
7%
CFTC System Safeguards (17 CFR 37, 38, 39, 49)
3 source controls mapped|1 target controls covered
7%
ISO/IEC 38500:2024
3 source controls mapped|5 target controls covered
7%
AWWA Cybersecurity Guidance for the Water Sector (American Water Works Association)
2 source controls mapped|3 target controls covered
5%
API 1164
2 source controls mapped|2 target controls covered
5%
Cloud Security Alliance Cloud Controls Matrix (CCM) v4.0.1
2 source controls mapped|2 target controls covered
5%
FBI CJIS Security Policy
1 source controls mapped|2 target controls covered
2%
ISO/IEC 42001:2023
1 source controls mapped|1 target controls covered
2%
ISO 27019
1 source controls mapped|1 target controls covered
2%
C5 (Germany)
1 source controls mapped|7 target controls covered
2%
BSI IT-Grundschutz
1 source controls mapped|1 target controls covered
2%
ISO/IEC 27011:2024
1 source controls mapped|1 target controls covered
2%
FedRAMP High
1 source controls mapped|1 target controls covered
2%
NIST SP 800-53 Revision 5.1 HIGH
1 source controls mapped|1 target controls covered
2%
FedRAMP Moderate
1 source controls mapped|1 target controls covered
2%
NIST SP 800-53 Rev 5 MODERATE
1 source controls mapped|1 target controls covered
2%
NIST SP 800-53 Rev 5 LOW
1 source controls mapped|1 target controls covered
2%
ISO/IEC 27400:2022
1 source controls mapped|1 target controls covered
2%
ISO 19011
1 source controls mapped|1 target controls covered
2%
ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence
1 source controls mapped|1 target controls covered
2%
ISO 13485
1 source controls mapped|1 target controls covered
2%
ANSSI Cybersecurity Framework
1 source controls mapped|1 target controls covered
2%
Australian Energy Sector Cyber Security Framework (AESCSF)
1 source controls mapped|1 target controls covered
2%
EIOPA Guidelines on ICT Security and Governance (EIOPA-BoS-20/600)
1 source controls mapped|1 target controls covered
2%
EBA Guidelines on ICT and Security Risk Management (EBA/GL/2024/07)
1 source controls mapped|1 target controls covered
2%
EASA Part-IS - Information Security in Aviation
1 source controls mapped|1 target controls covered
2%
ITIL 4
1 source controls mapped|1 target controls covered
2%
UK Gambling Commission - Cyber Resilience Requirements
1 source controls mapped|1 target controls covered
2%
ISO 19650 - Organisation and Digitisation of Information about Buildings and Civil Engineering Works (BIM)
1 source controls mapped|1 target controls covered
2%
ISO 20000-1
1 source controls mapped|1 target controls covered
2%
Authorised Economic Operator (AEO) Programmes - Global Standards
1 source controls mapped|1 target controls covered
2%
ISO 27001:2022
1 source controls mapped|1 target controls covered
2%
Bermuda Monetary Authority (BMA) Cyber Risk Management Code of Conduct
1 source controls mapped|1 target controls covered
2%
RICS Professional Standards - Data and Technology in Property
1 source controls mapped|1 target controls covered
2%
Frequently Asked Questions
What is ISO 27017:2015?
ISO 27017:2015 is a compliance framework from International with 17 domains and 42 controls. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does ISO 27017:2015 have?
ISO 27017:2015 has 42 controls organised across 17 domains. The largest domains are Operations security – ISO 27017:2015 (7 controls), Cloud sector-specific concepts – ISO 27017:2015 (5 controls), Clause 9 – ISO 27017:2015 (4 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does ISO 27017:2015 map to?
ISO 27017:2015 maps to 43 other compliance frameworks. The top mapping partners are ISO 27701:2019 (71% coverage), ISO 27018:2019 (50% coverage), ISO 27043 (19% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with ISO 27017:2015 compliance?
Start your ISO 27017:2015 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ISO 27017:2015 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 42 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required