ISO 27017 and ISO 27018: cloud security and privacy explained

·

When a company uploads its data to the cloud, it signs a contract with its provider and trusts that on the other side there is something more than good intentions. The standards ISO/IEC 27017:2015 and ISO/IEC 27018:2019 formalise that trust: the first establishes security controls specific to cloud services; the second adds a layer of protection for personal data processed in those environments. Together they cover the perimeter that ISO 27001, on its own, leaves open in public or hybrid cloud contexts.

Note: ISO/IEC 27018 was revised in 2025 (current edition: ISO/IEC 27018:2025, published in October 2025, which supersedes the 2019 edition). The content of this article applies to both editions; the privacy principles and controls have been maintained in alignment with ISO/IEC 27002:2022.

At Summum Marketing we have been helping companies implement information management systems since 2007. We have seen how the massive migration to the cloud has led clients who already held ISO 27001 to need to extend their certification to these two standards. This article explains what each standard covers, when certification is mandatory or advisable, and how the process works whether you are starting from scratch or from an existing ISO 27001.

What is ISO 27017: security controls for the cloud

ISO/IEC 27017:2015 is a guide to information security controls specifically designed for cloud services. It is not a standard that can be certified independently: it extends Annex A of ISO 27001 with seven additional controls not found in the original catalogue and clarifies how existing controls should be applied when the environment is cloud-based.

The seven exclusive controls added by ISO 27017 address questions that every executive should ask before signing a contract with a cloud provider:

The standard is aimed at two actors: the cloud service provider (CSP) — AWS, Azure, Google Cloud, an in-house data centre — and the cloud customer (CSC) — the company that uses those services. Each control specifies whether responsibility lies with the CSP, the CSC or both. This eliminates the grey area that exists in many managed service contracts.

What is ISO 27018: privacy of personal data in the cloud

ISO/IEC 27018:2025 (third edition, published in October 2025, which revises and supersedes the 2019 edition) protects the privacy of natural persons whose data is processed in cloud services. It applies to providers acting as data processors in the sense of the General Data Protection Regulation (GDPR): companies that process personal data on behalf of another organisation.

If your company outsources payroll processing to an HR SaaS, or stores customer records in a cloud-based CRM, the provider of that service should be able to demonstrate ISO 27018 compliance. The standard establishes principles such as:

ISO 27018 is not a GDPR compliance certification — that is determined by the relevant national supervisory authority — but it is a recognised technical piece of evidence that facilitates the accreditation of data processors and strengthens the contractual guarantees required by Article 28 of the GDPR.

Key differences between ISO 27017 and ISO 27018

Dimension ISO 27017:2015 ISO 27018:2019
Subject matter Information security in cloud services Privacy of personal data in the cloud
Target audience Cloud providers and customers (CSP and CSC) Cloud providers acting as data processors
Reference framework Extends Annex A of ISO 27001 Extends ISO 27001 with privacy principles (aligned with ISO 29100)
Relationship with the GDPR Indirect: improves the technical security the GDPR requires Direct: covers the guarantees of the data processor (Art. 28 GDPR)
Is it certifiable? Yes, as an extension of ISO 27001 Yes, as an extension of ISO 27001
Current version ISO/IEC 27017:2015 ISO/IEC 27018:2025
Type of data protected All information assets in the cloud Exclusively personal data (PII)

Are they certifiable? How do they work with ISO 27001?

Here comes the most common question: neither standard can be certified independently. Both operate as extensions of ISO 27001. The usual process is:

  1. The organisation implements ISO 27001 as a foundation (Information Security Management System, ISMS).
  2. On top of that ISMS, the additional controls of ISO 27017, ISO 27018 or both are incorporated.
  3. The accredited certification body (AENOR, Bureau Veritas, SGS, BSI or others accredited by the relevant national accreditation body) issues an ISO 27001 certificate that explicitly mentions the cloud extensions applied in its scope.

Some bodies issue combined certificates of the type "ISO 27001:2022 + ISO 27017:2015 + ISO 27018:2019". This is especially common in SaaS providers or in companies that want to stand out to customers in the public sector, finance or healthcare.

If your company already holds a valid ISO 27001, extending it to ISO 27017 and ISO 27018 does not require repeating the entire process from scratch. It involves a gap analysis of current controls, the incorporation of any missing cloud controls and an extension audit. The effort is significantly less than a first-time certification.

If you do not yet have ISO 27001, our ISO 27001 implementation service is the natural starting point: we build it from the ground up, taking cloud requirements into account so that the extension to ISO 27017 and ISO 27018 is a straightforward step rather than a separate project.

Who should certify ISO 27017 and ISO 27018

Not every organisation needs these certifications, but there are profiles for which they are almost indispensable:

SaaS, IaaS or PaaS service providers

If your business is providing infrastructure or software as a service, ISO 27017 is the proof your corporate customers will ask for before signing a contract. Large accounts — public administrations, banks, healthcare, regulated industries — already include ISO 27017 certification in their tender requirements, either as a mandatory criterion or as a scoring factor.

Companies that outsource the processing of personal data

If your CRM, email marketing platform, ERP or HR management system runs in the cloud and processes data about natural persons (employees, customers, patients), ISO 27018 at the provider level is the technical guarantee that the GDPR requires you to verify. A signed data processing agreement is not enough: you need evidence that the controls are actually being applied.

Companies with customers in regulated sectors

Healthcare (national data protection law, NIS2), financial services (DORA, PSD2), the public sector (national security schemes) and defence require levels of assurance that go beyond basic ISO 27001. ISO 27017 and ISO 27018 cover a large part of that gap and facilitate cross-compliance.

Companies seeking commercial differentiation

Certification is visible. Publishing it on your website, in your proposals and in your contracts reduces sales friction with buyers who have security checklists. In sectors where several providers hold ISO 27001, the one that adds 27017 and 27018 starts with an advantage.

How the implementation process works: practical stages

The path from decision to certificate has well-defined phases. At Summum we accompany the entire journey, without delegating the technical or documentary work to the client:

1. Baseline diagnosis (cloud gap analysis)

We map the inventory of cloud services used by the organisation (IaaS, PaaS, SaaS), identify the personal data flows that pass through those services and compare current controls against those required by ISO 27017 and ISO 27018. The result is an action plan prioritised by risk.

2. Scope design and cloud security policy

We define which cloud services fall within the certification scope, document shared responsibilities with each provider and update the security policy to reflect the real hybrid or multi-cloud environment.

3. Control implementation

We apply the seven exclusive controls of ISO 27017 and the privacy procedures of ISO 27018: secure data deletion procedure at contract end, breach notification protocol, privileged access management in virtualised environments, cloud network segmentation and consolidated activity logs between provider and customer.

4. Internal audit and management review

We verify internally that the controls are working before exposing the system to an external audit. We identify and close minor deviations. Management reviews and approves the extended system.

5. Certification audit

The accredited body carries out Stage 1 (documentary review) and Stage 2 (on-site verification). If there are no major non-conformities, it issues the certificate with the defined cloud scope.

If you already hold ISO 27001, the process is condensed: the gap analysis is more agile, the base documentation already exists and the external audit can be approached as a scope extension audit. In many cases, the total time from start to certificate is between three and six months.

You can find more information about our specific service on the ISO 27017 and ISO 27018 implementation and certification page, where we detail the scope, the phases and the company profiles that benefit most.

ISO 27017 and ISO 27018 in the 2025-2026 regulatory landscape

The regulatory environment has changed significantly in the past two years and reinforces the relevance of these standards:

The picture is clear: if your company operates in the cloud and serves regulated customers or the public administration, ISO 27017 and ISO 27018 cease to be optional and become a condition of market access.

Frequently asked questions

Can I certify ISO 27017 or ISO 27018 without having ISO 27001?

No. Both standards are extensions of ISO 27001 and require the base Information Security Management System (ISMS) to be implemented and certified. ISO 27001 establishes the management framework, the controls, the internal audits and the management reviews on which the additional cloud controls rely. Without that foundation, certification is not possible. If you are starting from zero, the project begins with ISO 27001 and integrates cloud requirements from the outset so that the extension to 27017 and 27018 is part of the same effort, not a subsequent project.

Does ISO 27018 equal GDPR compliance?

It does not equal it, but it complements it. ISO 27018 is not a regulatory compliance certification in the GDPR sense; national supervisory authorities do not recognise it as a substitute for legal obligations. What it does do is provide audited technical evidence that the cloud provider applies privacy controls aligned with the principles of the GDPR (minimisation, purpose limitation, right to erasure, breach notification). That evidence greatly facilitates the due diligence required by Article 28 of the GDPR when the client must demonstrate that it has chosen a data processor with sufficient guarantees.

How long does the process take if we already have ISO 27001?

It depends on the number of cloud services in scope and the maturity level of current controls, but the typical range is between three and six months. The initial gap analysis usually takes two to four weeks; the implementation of additional controls, between six and ten weeks; and the external audit is scheduled once the system is stable. The factor that shortens the timeline most is having the cloud architecture and provider contracts well documented. If that documentation does not exist, generating the service inventory and shared responsibility matrices takes time before controls can be addressed.

Major cloud providers like Azure or AWS already hold these certifications. Do I benefit automatically?

Microsoft Azure, Amazon Web Services and Google Cloud hold ISO 27017 and ISO 27018 certifications on their infrastructure. However, that only covers the provider's responsibility under the shared responsibility model. The application layer, access configuration, identity management, backups and the personal data processing that your organisation carries out on top of that infrastructure remain your responsibility. Using Azure with ISO 27017 does not automatically make your organisation ISO 27017 certified: you need to demonstrate that you also apply the controls that fall to you as a cloud customer (CSC). That is exactly the gap where Summum works.