ISO/IEC 27017, automated
Add the cloud-specific controls of ISO 27017 on top of your ISO 27001 programme, with an agent to do the legwork and a human to certify.
- Live today
- Cross-mapped with ISO 27001
- Agent-assisted, human-certified
- EU data residency
ISO/IEC 27017 is the cloud-security extension to ISO 27002: a set of cloud-specific controls and guidance for organisations that provide or use cloud services. Diligio Compliance runs them alongside your ISO 27001 ISMS, so the cloud controls reuse the evidence and ownership you already have rather than starting a separate programme.
What ISO 27017 is
ISO/IEC 27017:2015 is a code of practice that adds cloud-specific controls (the CLD series) and extra implementation guidance to the ISO 27002 controls. It addresses things a general security standard does not, such as the split of responsibility between provider and customer, segregation in virtual environments, and customer access to logs.
It is not a standalone certification in the usual sense: it builds on ISO 27001, so organisations typically pursue it alongside or just after ISO 27001 certification rather than on its own.
How Diligio Compliance helps
Cloud controls on your ISMS
A control register covering the ISO 27017 cloud-specific controls, each with status, owner, proof, and last-reviewed date, sitting alongside your ISO 27001 controls rather than in a separate tool.
Shared-responsibility clarity
Capture which controls are yours, which sit with your cloud provider, and the evidence for each, so the provider-customer split that ISO 27017 cares about is documented and defensible.
An agent that proposes, a human that certifies
Connect your own AI agent to propose evidence and control statuses across the cloud controls. Nothing becomes your attested posture until a person certifies it, with a kill switch and a full audit trail.
Reuse from ISO 27001
ISO 27017 is cross-mapped to ISO 27001, so the controls you have already implemented carry across and you only do the genuinely cloud-specific work once.
New to the process? Read the ISO 27017 and ISO 27018, explained.
Frequently asked questions
Do I need ISO 27001 before ISO 27017?
In practice yes. ISO 27017 extends the ISO 27002 controls and is built on an ISO 27001 management system, so organisations pursue it alongside or just after ISO 27001 rather than on its own. Diligio Compliance runs both together and reuses the overlap.
What does ISO 27017 add over ISO 27001?
Cloud-specific controls and guidance: the division of responsibility between cloud provider and customer, segregation in virtual environments, virtual machine hardening, administrator operations, and customer access to monitoring data.
Is ISO 27017 support available now?
Yes. ISO 27017 is live in Diligio Compliance. Talk to us and we will enable it and map it onto your existing ISO 27001 controls.
Get started
Tell us you are working towards ISO 27017 and we will enable Diligio Compliance for your team and help you get set up. A flat $1,999 per company per year, or $499 for your first year as a startup.