
ISO 27017 extends ISO 27001 with cloud-specific security controls for both cloud service providers and cloud customers. This checklist guides you through implementing cloud security controls and achieving certification as an add-on to your existing ISMS.
ISO/IEC 27017 is an international standard that provides guidelines for information security controls applicable to the provision and use of cloud services.
It supplements ISO/IEC 27002 by providing additional cloud-specific implementation guidance, helping both cloud service providers and customers manage the security of cloud-based environments.
The standard addresses shared responsibilities, clarifies roles, and introduces new controls for cloud-specific risks such as virtualization, customer data segregation, and cloud customer monitoring of provider activities.
Cloud Controls
ISO 27001
Scope
Click each step to expand the details. Work through them in order — each step builds on the previous one.
Ensure the prerequisite management system is in place
ISO 27017 is designed as an extension to ISO 27001 and requires an established Information Security Management System as its foundation. If you do not already have ISO 27001 certification, you should pursue that first or implement both simultaneously.
Identify the cloud services and deployment models in scope
Clearly define which cloud services are in scope for ISO 27017 compliance. This includes identifying your role as a cloud service provider (CSP), cloud service customer (CSC), or both, and the specific cloud service and deployment models involved.
Identify the additional cloud controls that apply
ISO 27017 provides implementation guidance for 37 ISO 27001 Annex A controls in a cloud context plus 7 additional cloud-specific controls. Map these controls against your existing ISO 27001 implementation to identify what additional work is required.
Deploy the cloud-specific safeguards
Implement the cloud security controls identified in your gap analysis. These controls address cloud-specific risks including virtualization security, multi-tenancy isolation, shared responsibility, and cloud service administration.
Document and communicate security responsibilities
A core concept of ISO 27017 is the shared responsibility model between CSPs and customers. Clearly document which party is responsible for each security control and ensure both sides understand their obligations.
Extend ISMS documentation to cover cloud-specific requirements
Update your existing ISMS documentation to incorporate cloud security policies, procedures, and guidelines. This includes extending risk assessments, asset inventories, and operational procedures to address cloud-specific scenarios.
Verify cloud controls before the certification audit
Conduct an internal audit covering the ISO 27017 cloud-specific controls and the extended cloud guidance for Annex A controls. This audit should verify that all cloud controls are implemented, effective, and properly documented.
Obtain ISO 27017 certification as an ISO 27001 extension
Work with your ISO 27001 certification body to add ISO 27017 to your certification scope. This is typically done during a surveillance audit or recertification, though it can also be conducted as a standalone extension audit.
Feeling overwhelmed? You don't have to do this alone.
Transparent cost ranges so you can plan and budget. Costs vary based on organization size, current security posture, and environment complexity.
Including preparation, tooling, and assessment fees
Depending on current maturity and scope
Independent verification of your compliance
Compliance management and evidence collection tools
SIEM, EDR, vulnerability scanning, encryption tools
Hundreds of hours across IT, security, and leadership
Annual reviews, continuous monitoring, recertification
The cost of non-compliance far exceeds the investment in getting certified. Consider what's at stake:
The question isn't whether you can afford compliance — it's whether you can afford not to have it.

Illumen specializes in helping organizations achieve ISO 27017 compliance — from initial assessment through certification. We meet you wherever you are in the journey.
Know exactly where you stand against requirements
Close gaps with expert guidance and support
Policies, procedures, and evidence packages
Common questions about ISO 27017 compliance and certification.