ISO 27017 and ISO 27018:cloud security and privacy, explained
ISO 27017 and ISO 27018 are the cloud extensions to ISO 27001. ISO 27017 adds cloud-specific security controls and guidance; ISO 27018 adds controls for protecting personal data (PII) in public clouds. Both build on an ISO 27001 management system rather than replacing it, so they are usually pursued alongside or just after ISO 27001.
What they are
ISO 27001 is the core information-security management system standard. ISO 27017 and ISO 27018 are codes of practice that extend its control set for the cloud: one for cloud security generally, the other for privacy in public clouds. They are not standalone management systems, so they sit on top of an ISO 27001 programme.
ISO 27017: cloud security
ISO/IEC 27017:2015 adds cloud-specific controls and extra guidance on top of the ISO 27002 controls. It addresses things a general security standard does not spell out for the cloud, such as:
- The division of security responsibilities between the cloud provider and the cloud customer.
- Segregation of customers in shared virtual environments.
- Virtual machine hardening and secure administrator operations.
- Customer access to monitoring data and logs about their own use of the service.
ISO 27018: cloud privacy
ISO/IEC 27018:2019 adds privacy controls for public-cloud providers that act as a processor of personal data. It focuses on protecting PII the cloud customer entrusts to the provider:
- Processing PII only on the customer documented instructions.
- Transparency about sub-processors and the locations where PII is processed.
- Support for data-subject access, correction, and erasure requests.
- Rules for the return, transfer, and secure deletion of PII, and breach notification to the customer.
How they relate to ISO 27001 and GDPR
Because both extend ISO 27001, the controls you already implement for your ISMS carry across, and you only do the genuinely cloud-specific work once. ISO 27018 in particular aligns closely with the processor obligations in GDPR Articles 28 and 32, so it gives a cloud vendor an auditable way to evidence much of its GDPR processor posture.
Who needs them, and how to approach it
- 1Confirm your ISO 27001 ISMS is the foundation; these extensions assume it.
- 2Add ISO 27017 if you provide or heavily use cloud services and want to evidence cloud-specific controls.
- 3Add ISO 27018 if you process personal data as a public-cloud or SaaS provider.
- 4Map the new controls onto your existing ISO 27001 controls so the overlap is reused.
- 5Maintain the evidence so you stay ready for the combined audit.
Frequently asked questions
What is the difference between ISO 27017 and ISO 27018?
ISO 27017 covers cloud security broadly, including the provider-customer responsibility split and virtual environment controls. ISO 27018 covers the protection of personal data (PII) in public clouds specifically. Many cloud vendors pursue both, on top of ISO 27001.
Do I need ISO 27001 first?
In practice yes. Both ISO 27017 and ISO 27018 extend ISO 27002 and assume an ISO 27001 management system, so they are pursued alongside or just after ISO 27001 rather than on their own.
Are ISO 27017 and ISO 27018 certifiable?
They are assessed as extensions to an ISO 27001 certification rather than as fully independent certificates, so an accredited body audits them together with your ISO 27001 ISMS.
Do this in a fraction of the time
Diligio centralises your approved answers, drafts each response grounded in your sources, and independently verifies it before you review. RFPs, DDQs, and security questionnaires, answered from one knowledge base.