ISO 27017 & ISO 27018: Cloud Security and Privacy Explained
ISO 27001 was written for any organisation; the cloud raises questions it doesn’t answer directly — who secures what in a shared-responsibility model, what happens to your data when you leave a provider, how tenants are kept apart. ISO 27017 (cloud security) and ISO 27018 (PII in public clouds) are the codes of practice that fill those gaps.
The two standards, side by side
| ISO/IEC 27017 | ISO/IEC 27018 | |
|---|---|---|
| Focus | Information security in cloud services | Protection of PII in public clouds |
| Audience | Cloud providers and cloud customers | Primarily cloud providers acting as PII processors |
| Adds | Cloud guidance on existing controls, plus cloud-specific controls | Privacy-specific commitments layered on the security baseline |
| Typical driver | Enterprise procurement and cloud due-diligence | GDPR-style processor obligations and customer trust |
What ISO 27017 actually adds
ISO 27017 takes the ISO 27002 control set and answers “what does this mean in the cloud?” for both sides of the shared-responsibility line. Its distinctive additions include:
- Defined, documented split of security roles and responsibilities between provider and customer.
- Removal and return of cloud-customer assets when the service ends — your exit path, in writing.
- Segregation between tenants in shared virtual environments.
- Hardening of virtual machines and administrator operational procedures.
- Customer visibility: the ability to monitor relevant activity within the cloud service.
- Alignment of virtual- and physical-network security management.
What ISO 27018 actually adds
ISO 27018 is narrower and sharper: it applies privacy principles to a public-cloud provider processing PII on customers’ behalf. The commitments customers care about most:
- Customer data is processed only on documented instructions — never used for advertising or marketing without explicit consent.
- Transparency about where PII is stored and which subcontractors touch it.
- Support for customers’ own obligations: helping honour access, correction and deletion requests.
- Prompt notification of breaches involving PII, with enough detail for the customer to meet their own duties.
- Return, transfer or secure disposal of PII when the engagement ends.
How certification really works
A detail procurement teams often get wrong: 27017 and 27018 are codes of practice, not standalone management-system standards. Nobody holds a bare “ISO 27018 certificate” — organisations are certified to ISO 27001 with the 27017/27018 control sets included in the Statement of Applicability and audited within that scope. When a vendor claims these standards, ask to see the 27001 certificate and confirm the extensions appear in its scope statement.
Who should care
If you sell a cloud service: these are increasingly table stakes in enterprise and public-sector procurement, and 27018 in particular is a fast, credible answer to GDPR processor due-diligence. If you buy cloud services: use the 27017 responsibility-split as your due-diligence checklist — most cloud incidents happen on the customer side of the line, in the gap each party assumed the other owned.
The bottom line
Treat ISO 27017/27018 as the cloud dialect of your ISMS: same control library, cloud-specific answers. If ISO 27001 is already in place, extending the SoA to cover them is a mapping exercise — and it converts “trust us” into an auditable claim.
Extend your ISMS to the cloud, without a second programme
Cyber Horizon maps ISO 27017 and ISO 27018 onto the same control library as ISO 27001 — so the cloud extensions are additional coverage, not additional work.
Book a Demo