ISO 27017 Certification
ISO/IEC 27017 is an international standard that establishes specific information security controls for cloud computing. It deepens and extends the general ISO/IEC 27002 controls by adding seven new security measures unique to the cloud environment and providing extended implementation guidance for thirty-seven controls in the context of cloud service provision and consumption. The standard addresses both cloud service providers (CSP) and their customers — cloud service customers (CSC).
Imperium Certific is a NAAU-accredited certification body. We conduct certification audits according to the requirements of DSTU EN ISO/IEC 27017:2022 (EN ISO/IEC 27017:2021, IDT; ISO/IEC 27017:2015, IDT) as a scope extension of ISO/IEC 27001 certification.
Important to understand: ISO/IEC 27017 is by nature a code of practice, not a requirements standard. There is no standalone certification for ISO 27017 — the only certification standard in the 27000 series remains ISO/IEC 27001. Certification under ISO 27017 is achieved through scope extension of the ISO/IEC 27001 audit with the inclusion of 27017 controls in the Statement of Applicability. This practice is the industry standard — under this model, Microsoft Azure, AWS, Google Cloud, Oracle, Salesforce, and other leading global cloud providers are certified.
Who Needs ISO 27017 Certification
The ISO/IEC 27017 standard applies to any organization that provides or uses cloud computing. Certification is particularly relevant for:
Cloud Service Providers (CSP)
— SaaS, PaaS, IaaS providers, cloud platforms, BaaS and FaaS services
Data Centers and Hosting Providers
— colocation, dedicated servers, virtual data centers, edge locations
Cloud SaaS Solution Developers
— CRM, ERP, HRM, medical platforms, educational systems, fintech services
MSP and MSSP Companies
— managed services, network security as a service, SOC-as-a-Service, cloud infrastructure management
Cloud Integrators and Brokers
— companies designing multi-cloud architectures, reselling cloud services, managing migrations
Cloud Service Customers (CSC)
— financial institutions, medical organizations, government enterprises, and companies migrating critical workloads to the cloud who need to demonstrate proper control over cloud risks
Any organization
— that transmits, stores, or processes information in cloud environments and requires a systematic approach to security at the interface with the provider
Benefits of ISO 27017 Certification
ISO 27017 certification is a systematic response to specific risks of cloud computing that are not covered by general ISO 27001 controls.
-
Closing cloud-specific risks — the standard adds seven special controls for the cloud environment (segregation in virtual computing environments, virtual machine hardening, monitoring of cloud services, alignment of security management for virtual and physical networks, and others) plus extended implementation guidance for thirty-seven ISO/IEC 27002 controls in the cloud context
-
Clear CSP ↔ CSC responsibility allocation — the standard formalizes the shared responsibility model, eliminating dozens of potential disputes between provider and customer at the contract stage. Each party clearly knows which controls they implement independently and which are implemented in partnership
-
Competitive advantage in corporate and international tenders — banks, insurance, medical institutions, and EU companies increasingly include ISO 27017 compliance requirements in tender documentation for cloud services. Without such a certificate, a provider risks being excluded from the shortlist
-
Readiness for European regulatory requirements — the standard is the foundation for EUCS (European Cybersecurity Certification Scheme for Cloud Services), NIS2 Directive requirements, and for working with personal data processing under GDPR in conjunction with ISO/IEC 27018
-
Increased trust from customers and partners — the certificate is public proof that the organization professionally manages specific cloud threats: hypervisor compromise, unauthorized cross-tenant access, uncontrolled spread of administrative privileges, secure data deletion risks in multi-tenant infrastructure
-
Integration with ISO 27001 without document duplication — since ISO 27017 is built on ISO/IEC 27002 and certified as an ISO 27001 scope extension, additional documentation work is minimal. 27017 controls organically integrate into the existing ISMS via the Statement of Applicability
Order Certification
ISO 27017 Certification Process
ISO/IEC 27017 certification is conducted as an add-on assessment within the framework of an ISO/IEC 27001 certification audit and complies with ISO/IEC 17021-1 and NAAU accreditation requirements.
Stage 1 — Application and Scope Definition — The organization submits an application for ISO 27001 certification with scope extension under ISO 27017. We analyze the cloud services architecture, service models (SaaS/PaaS/IaaS), CSP and CSC roles within the ISMS scope, number of tenants, geography of data centers, and cloud infrastructure scale to determine audit complexity.
Stage 2 — Stage 1 Audit (Documentation Review) — Verification of ISMS and cloud controls readiness: information security policy in the cloud context, cloud risk assessment, Statement of Applicability with included ISO 27017 controls, contractual model with customers and subcontractors, virtual infrastructure management procedures.
Stage 3 — Stage 2 Audit (On-site) — The audit team verifies the practical functioning of 27017 controls: virtual environment segregation, VM image hardening, cloud services monitoring, alignment of security for virtual and physical networks, secure removal of customer assets, operational security of administrators, security alignment between CSP and CSC.
Stage 4 — Certification Decision — Based on the audit results, a report is prepared. The decision to issue the certificate is made independently of the audit team, ensuring impartiality.
Stage 5 — Certificate Issuance — An ISO/IEC 27001 certificate is issued with explicit indication in the scope statement that the ISMS includes ISO/IEC 27017:2015 controls. The certificate is valid for 3 years. Certification information is entered into the register.
Stage 6 — Surveillance Audits — Annual surveillance audits confirm continuous functioning of 27017 controls within the ISMS. The recertification audit is conducted before the certificate expires.
ISO 27017 Certification Cost
The cost of ISO 27017 certification is added to the base cost of ISO 27001 certification and is determined individually based on preliminary analysis.
Factors affecting cost:
Calculate Cost →
Calculate Cost
Fill in a short questionnaire — we will prepare an offer for your business
Documents for ISO 27017 Certification
In addition to the standard document package for ISO 27001, the organization must additionally prepare:
- — 1. Description of cloud services architecture and service delivery models
- — 2. Description of CSP and CSC role allocation within ISMS scope
- — 3. Statement of Applicability with included ISO/IEC 27017 controls
- — 4. Cloud service agreements with customers
- — 5. Virtual infrastructure and hypervisor management procedures
- — 6. Policy on segregation of virtual computing environments
- — 7. Virtual machine hardening procedures
- — 8. Cloud services monitoring and event logging procedures
- — 9. Policy on operational security of cloud service administrators
- — 10. Procedure for secure removal of customer assets after engagement termination
- — 11. Register of subcontractors and documents on cloud services supply chain management
- — 12. Documentation on alignment of security for virtual and physical networks
Get the ISO 27017 Certification Application →
Надіслати заявкуFAQ
No. ISO/IEC 27017 is by nature a code of practice, not a certification standard — it lacks the word "Requirements" in its title. The only certification standard in the 27000 series remains ISO/IEC 27001. Certification under ISO 27017 is achieved as a scope extension of ISO/IEC 27001 certification — 27017 controls are added to the Statement of Applicability, and the certificate scope statement is formulated as "in accordance with ISO/IEC 27001:2022 with controls from ISO/IEC 27017:2015". This practice is the industry standard — under this model, all leading global cloud providers are certified.
ISO/IEC 27017 establishes information security controls for cloud services in general and addresses both cloud providers and cloud service customers. ISO/IEC 27018 is a specialized standard focused specifically on protecting personally identifiable information (PII) processed in public clouds, primarily addressing providers acting as PII processors. Both standards complement ISO/IEC 27001 and are often certified together — as a unified ecosystem of controls for cloud business: 27001 (ISMS base) + 27017 (cloud security) + 27018 (PII protection in the cloud).
Yes. ISO/IEC 27017 is built as an extension of ISO/IEC 27001 and ISO/IEC 27002 — it cannot exist independently of the underlying information security management system. ISO 27017 certification is conducted exclusively within ISO 27001 certification: either simultaneously with the initial 27001 audit (for organizations just implementing an ISMS) or as a scope extension of a valid 27001 certificate (for organizations already with a confirmed ISMS adding cloud controls).
Or write to us right now
We will call you back during the working day