ISO 27017

ISO/IEC 27017 - Information security control for cloud services

Based on ISO/IEC 27001 for Cloud Services

Based on ISO/IEC 27001 for Cloud Services


As the global usage of cloud technology continues to grow, businesses must strategically consider the risk of storing protected information and explore viable security options in order to protect their information systems. One of the key challenges of cloud computing is how it addresses the security and privacy concerns of businesses planning to adopt it and those of cloud service providers (CSPs) implementing it. The fact that the valuable enterprise data will reside outside the corporate firewall raises serious concerns. Hacking and various cyber-attacks to the cloud infrastructure can have a domino effect and affect multiple clients even if only one site is attacked.

WHAT IS ISO 27017 and why is it important

ISO/IEC 27017 is designed to assist in the recommendation and implementation of controls for cloud-based organisations. This is not only relevant to organisations which store information in the cloud, but also for providers which offer cloud-based services to other companies who may have sensitive information. This standard is built upon the ISO 27002 standard, but allows for specific controls to be added for the needs of cloud organisations and their end-users.

The standard extensively covers topics like asset ownership, recovery action if the CSP gets dissolved, disposal of assets with sensitive information, segregation and storage of data, alignment of security management for virtual and physical networks and others. ISO/IEC 27017 standard allows organisations to commit to a long-term goal. The organisations will have an internationally standardised framework to base their Cloud Security. Upon the internalisation of the requirements needed, organisations will be able to reduce operational and reputation risks and work towards a sustainable future.


TÜV SÜD provides the expertise and experience to assess your organisation to the requirements of ISO/IEC 27017. We assess the gap between company declaration on cloud security and the implementation. We identify the areas of concerns and opportunities for the company cloud security strategy and provide support on identification of a core business strategy linked to cloud security, with a tailor-made assessment tool, can measure a programme’s performance and identify improvements and risks linked to an organisation’s business strategy.


  • Develop a long-term strategy - By adhering to the ISO/IEC 27017 guidelines, you minimise reputational risks and issues related to cloud security and sustainable development. This will encourage potential investors and sponsors to look at you as a responsible partner. By mitigating the risk of data breach and other cyber-attacks, you win stakeholder confidence and gain competitive advantage.
  • Increase transparency - A third party assessment will help the company to demonstrate to stakeholders its foothold in global information security practices and ability to meet the requirements industry standards.                       
  • Reduce reputation risks - Implementing a strategy based upon ISO/IEC 27017, the company will be able to analyse its own vulnerabilities and mitigate the risk of data breaches. The external assessment conducted by us will support you in identifying risks and reducing them.
  • Meet compliance – Implementing ISO/IEC 27017 will help you to adhere to the national and international regulations, thus, mitigating the risk of regulatory fines and penalties for data breaches and other cyber-attacks.


Fill-in the adjacent form to know more about our auditing and certification services.


Next Steps

Site Selector