ISO/IEC 27017:2015

International

2 domains

37 controls

ISO/IEC 27017:2015 Code of practice for information security controls for cloud services.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (2)

Both

32 controls

Controls in the Both domain of ISO/IEC 27017:2015 — 32 controls
Code	Title	Description
10.1.1	Policy on the use of cryptographic controls (cloud)	Cryptographic controls shall be applied to data in transit and at rest within cloud services, with clear key custody.
10.1.2	Key management (cloud)	Cryptographic key lifecycle in cloud must define generation, storage in HSM or KMS, rotation, revocation, and separation...
12.1.2	Change management (cloud)	Cloud customer shall be informed of and able to manage changes affecting the cloud service.
12.1.3	Capacity management (cloud)	Capacity planning must account for elastic cloud consumption, quota limits, and noisy-neighbour effects, with CSP publis...
12.3.1	Information backup (cloud)	Backups of cloud-hosted data shall be defined, performed and tested in line with retention needs.
12.4.1	Event logging (cloud)	Event logs from cloud services shall be produced, kept and reviewed.
12.4.3	Administrator and operator logs (cloud)	All actions of cloud administrators and operators must be logged, with logs protected from modification by the administr...
12.6.1	Management of technical vulnerabilities (cloud)	Vulnerability management must cover cloud workloads, container images, serverless functions, and platform configurations...
13.1.3	Segregation in networks (cloud)	Network segregation in cloud environments shall align with sensitivity and exposure of workloads.
13.2.2	Agreements on information transfer (cloud)	Data transfer agreements must address cross-border cloud transfers, sub-processor flows, and standard contractual clause...
14.1.1	Information security requirements analysis (cloud apps)	Security requirements for cloud-deployed applications shall be specified before development or acquisition.
15.1.1	Information security policy for supplier relationships (cloud)	Security requirements for cloud providers shall be defined and reflected in contracts.
15.1.2	Addressing security within supplier agreements (cloud)	Cloud agreements must specify security obligations, audit rights, incident notification timelines, data return on termin...
16.1.1	Responsibilities and procedures (cloud incidents)	Incident response procedures shall address cloud-specific incidents and provider coordination.
16.1.2	Reporting information security events (cloud)	Mechanisms must enable CSC to report events to CSP and vice versa within agreed timeframes, with secure communication ch...
18.1.1	Identification of applicable legislation (cloud)	Legal, regulatory and contractual requirements applicable to cloud data and location shall be identified.
5.1.1	Leadership and commitment (general)	Top management shall demonstrate leadership and commitment with respect to the QMS by taking accountability, ensuring po...
6.1.1	Information security roles and responsibilities (cloud guidance)	Cloud-specific information security roles shall be defined for both customer and provider.
6.1.3	Compliance Obligations	Determine and have access to compliance obligations related to environmental aspects and determine how they apply to the...
7.2.2	Information security awareness, education and training (cloud)	Awareness training shall cover cloud-specific risks and the shared responsibility model.
8.1.1	Operational planning and control, general	Plan, implement, control and maintain the processes needed to meet OH&S MS requirements and to implement the actions det...
8.1.2	Eliminating hazards and reducing OH&S risks	Establish, implement and maintain processes for the elimination of hazards and reduction of OH&S risks using the hierarc...
8.2.2	Asset Management	Assets used to deliver services are identified, recorded and controlled including financial value.
9.1.2	Access to networks and network services (cloud)	Access to cloud services and their management APIs shall be restricted to authorized users.
9.2.1	Internal audit (general)	Conduct internal audits at planned intervals to provide information on whether the EMS conforms to organization requirem...
9.2.3	Management of privileged access rights (cloud)	Privileged cloud roles (root, owner, global admin) must be limited, time-bound where possible, monitored, and subject to...
9.2.4	Management of secret authentication information (cloud)	Cloud API keys, access tokens, and service-account credentials must be stored in a secret manager, rotated, and never em...
9.4.1	Information access restriction (cloud)	Access to information in cloud services must use least-privilege IAM policies with deny-by-default, scoped to resource a...
CLD.12.1.5	Administrator's operational security	Procedures for administrator operations in cloud environments shall be defined and documented.
CLD.12.4.5	Monitoring of cloud services	Customer shall have capability to monitor relevant aspects of cloud service operation.
CLD.6.3.1	Shared roles and responsibilities within a cloud computing environment	Cloud service customer and provider responsibilities for information security shall be allocated, agreed and documented.
CLD.9.5.2	Virtual machine hardening	Virtual machines in cloud environments shall be hardened to meet business needs.

Cloud Service Provider

5 controls

Controls in the Cloud Service Provider domain of ISO/IEC 27017:2015 — 5 controls
Code	Title	Description
11.2.7	Secure disposal or reuse of equipment (cloud)	Customer data on shared cloud media shall be addressed via provider procedures for secure disposal or reuse.
9.4.4	Use of privileged utility programs (cloud)	CSP must control use of utilities capable of overriding system or application security in the cloud platform, with stric...
CLD.13.1.4	Alignment of security management for virtual and physical networks	Network security policies shall apply consistently to virtual and physical networks in cloud environments.
CLD.8.1.5	Removal of cloud service customer assets	Customer assets in the cloud service shall be removed, returned or securely deleted upon termination as specified in the...
CLD.9.5.1	Segregation in virtual computing environments	Customer environments shall be segregated from other customers and the provider in a multi-tenant cloud.

Frequently Asked Questions

What is ISO/IEC 27017:2015?

ISO/IEC 27017:2015 is a compliance framework from International with 2 domains and 37 controls. ISO/IEC 27017:2015 Code of practice for information security controls for cloud services. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does ISO/IEC 27017:2015 have?

ISO/IEC 27017:2015 has 37 controls organised across 2 domains. The largest domains are Both (32 controls), Cloud Service Provider (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does ISO/IEC 27017:2015 map to?

ISO/IEC 27017:2015 does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with ISO/IEC 27017:2015 compliance?

Start your ISO/IEC 27017:2015 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about ISO/IEC 27017:2015 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 37 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required