Choose another country to see content specific to your location

//Select a site

ISO/IEC 27017 Certification

Safeguard your cloud services through robust information security controls


World over, organisations are increasingly getting aware of the business value that cloud computing brings and are taking steps towards transition to the cloud. A smooth transition entails a thorough understanding of the benefits as well as challenges involved. One of the key challenges of cloud computing is how it addresses the security and privacy concerns of businesses planning to adopt it and those of cloud service providers (CSPs) implementing it.

The fact that the valuable enterprise data will reside outside the corporate firewall raises serious concerns. Hacking and various cyber-attacks to the cloud infrastructure can have a domino effect and affect multiple clients even if only one site is attacked. As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore viable security options to protect their information systems.

ISO/IEC 27017 is a set of guidelines for safeguarding cloud-based environments and minimising the potential risk of security incidents. Any organisation which provides cloud-based services can benefit from ISO/IEC 27017 certification – from online email providers and document management platforms to cloud-based apps and tools. It demonstrates to customers that you are following the most stringent cloud services security standards and have processes in place to manage any unforeseen problems.

If your organisation provides cloud services, your customers will want assurances that their data, documents, messages and activity are protected under any circumstances. They will also want evidence that they will be able to retrieve and move their data whenever they wish. ISO/IEC 27017 standard gives them that confidence.

What is ISO 27017?

Organisations seeking to approach Cloud Security in a structured and reliable manner can benefit greatly from the ISO/IEC 27017 guidelines for Cloud Security. ISO/IEC 27017 is a standard developed for cloud service providers and users for securing the cloud-based environment and minimising potential risk of a security incident. The standard addresses topics such as:

  • Asset ownership
  • Recovery plans if the CSP is dissolved
  • Disposal of assets containing sensitive information
  • Segregation and storage of data
  • Alignment of security management for virtual and physical networks

ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organisations. ISO/IEC 27017 is not only relevant to organisations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information. This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organisations and their end-users.

The ISO 27017 assessment is normally structured in tailor-made steps of verification. The output of this verification process can be made available both internally within the company and publicly. The organisation may also choose to define a boundary for assessment in relation to the core issues of the standard, focusing on the ones that are most crucial to the organisation itself and their business practices.

Why is ISO/IEC 27017 CLOUD SECURITY Important?

Cloud data security is vital, as clients will want to be sure that their data is safe while stored in the cloud. ISO/IEC 27017 cloud security standard allows the organisation to commit to a long-term goal. The organisation will have an internationally standardised framework to base their Cloud Security.

Upon the internalisation of the requirements needed, the organisation will be able to reduce operational and reputation risks and work towards a sustainable future. The ISO/IEC 27017 cloud standard extensively covers topics like asset ownership, recovery action if the CSP gets dissolved, disposal of assets with sensitive information, segregation and storage of data, alignment of security management for virtual and physical networks and others.

How can we help you?

An internationally accredited Certification Body, we provide the expertise and experience to assess your organisation with the ISO/IEC 27017 guidelines. We assess the gap between company declaration on cloud security and the implementation. We identify the areas of concerns and opportunities for the company cloud security strategy and provide support on identification of a core business strategy linked to cloud security.

TÜV SÜD, with a tailor-made assessment tool, can measure a programme’s performance and identify improvements and risks linked to an organisation’s business strategy. This aligns the overall security strategy of the organisation to the ISO/IEC 27017 standard.

ISO/IEC 27017 Certification process

Step 1: Get in touch with us to receive a customised quote, including detailed costs, planning and time scales
Step 2: We conduct an in-depth assessment
Step 3: Our assessment report is released to you
Step 4: Issuance of ISO/IEC 27017 certification

The assessment is normally structured in tailor-made steps of verification. The output of this verification process can be made available both internally within the company and publicly. The organisation may also choose to define a boundary for assessment in relation to the core issues of the standard, focusing on the one that is most crucial to the company itself and its business practices.


  • Reduce operational risk - By adhering to the ISO/IEC 27017 guidelines, you can efficiently analyse vulnerabilities and mitigate against data breaches, as well as regulatory fines and penalties
  • Win market trust - An independent third party ISO 27017 assessment demonstrates your commitment to global information security practices. Winning stakeholder confidence delivers you a competitive advantage as potential investors and customers identify you as a responsible partner
  • Expand your business – Become a preferred CSP and expand your business globally by adhering to the international ISO 27017 guidelines
  • Meet compliance – Implementing ISO/IEC 27017 standard will help you to adhere to the national and international regulations, thus, mitigating the risk of regulatory fines and penalties for data breaches and other cyber-attacks
  • Inclusive standard – Within the cloud computing environment, ISO/IEC 27017 standard clearly outlines the exact relationship, roles, rights and responsibilities between cloud service customer and cloud service provider


TÜV SÜD is a world leader in cloud computing service auditing and assessments and works with companies around the globe to provide independent audits and certification. Based on years of technical experience, our auditors are able to rapidly understand your cloud system’s architecture and assess whether or not it conforms to the standard. If it is non-conformant, you can use our reports to see which areas you need to improve on and receive ISO 27017 certification.

As TÜV SÜD is vendor agnostic, our ISO/IEC 27017 standard assessments are both impartial and independent, and we follow the highest standards of auditing practice to ensure neutrality and reliability every time. Our rigorous approach ensures greater trust for your customers.


Frequently Asked Questions

Next Steps

Site Selector