When a company uploads its data to the cloud, it signs a contract with its provider and trusts that on the other side there is something more than good intentions. The standards ISO/IEC 27017:2015 and ISO/IEC 27018:2019 formalise that trust: the first establishes security controls specific to cloud services; the second adds a layer of protection for personal data processed in those environments. Together they cover the perimeter that ISO 27001, on its own, leaves open in public or hybrid cloud contexts.
Note: ISO/IEC 27018 was revised in 2025 (current edition: ISO/IEC 27018:2025, published in October 2025, which supersedes the 2019 edition). The content of this article applies to both editions; the privacy principles and controls have been maintained in alignment with ISO/IEC 27002:2022.
At Summum Marketing we have been helping companies implement information management systems since 2007. We have seen how the massive migration to the cloud has led clients who already held ISO 27001 to need to extend their certification to these two standards. This article explains what each standard covers, when certification is mandatory or advisable, and how the process works whether you are starting from scratch or from an existing ISO 27001.
What is ISO 27017: security controls for the cloud
ISO/IEC 27017:2015 is a guide to information security controls specifically designed for cloud services. It is not a standard that can be certified independently: it extends Annex A of ISO 27001 with seven additional controls not found in the original catalogue and clarifies how existing controls should be applied when the environment is cloud-based.
The seven exclusive controls added by ISO 27017 address questions that every executive should ask before signing a contract with a cloud provider:
- CLD.6.3.1: Relationship between the cloud service provider (CSP) and its customer (CSC): who is responsible for which asset.
- CLD.8.1.5: Removal of customer assets when the contract ends: what happens to your data when you change provider.
- CLD.9.5.1: Segregation in shared virtual environments: ensuring that a neighbour's failure does not affect you.
- CLD.9.5.2: Hardening of virtual machines: reducing the attack surface at the hypervisor level.
- CLD.12.1.5: Monitoring of cloud services by the administrator.
- CLD.12.4.5: Alignment of activity logs between provider and customer.
- CLD.13.1.4: Virtual network security for communications between cloud nodes.
The standard is aimed at two actors: the cloud service provider (CSP) — AWS, Azure, Google Cloud, an in-house data centre — and the cloud customer (CSC) — the company that uses those services. Each control specifies whether responsibility lies with the CSP, the CSC or both. This eliminates the grey area that exists in many managed service contracts.
What is ISO 27018: privacy of personal data in the cloud
ISO/IEC 27018:2025 (third edition, published in October 2025, which revises and supersedes the 2019 edition) protects the privacy of natural persons whose data is processed in cloud services. It applies to providers acting as data processors in the sense of the General Data Protection Regulation (GDPR): companies that process personal data on behalf of another organisation.
If your company outsources payroll processing to an HR SaaS, or stores customer records in a cloud-based CRM, the provider of that service should be able to demonstrate ISO 27018 compliance. The standard establishes principles such as:
- Personal data is not used for purposes other than those contracted (not for advertising, not for provider profiling).
- The customer retains control over their data and can export or delete it at any time.
- The provider notifies the customer of security breaches within defined timeframes.
- International transfers of personal data are documented and protected.
- Provider employees who access personal data are bound by confidentiality commitments.
ISO 27018 is not a GDPR compliance certification — that is determined by the relevant national supervisory authority — but it is a recognised technical piece of evidence that facilitates the accreditation of data processors and strengthens the contractual guarantees required by Article 28 of the GDPR.
Key differences between ISO 27017 and ISO 27018
| Dimension | ISO 27017:2015 | ISO 27018:2019 |
|---|---|---|
| Subject matter | Information security in cloud services | Privacy of personal data in the cloud |
| Target audience | Cloud providers and customers (CSP and CSC) | Cloud providers acting as data processors |
| Reference framework | Extends Annex A of ISO 27001 | Extends ISO 27001 with privacy principles (aligned with ISO 29100) |
| Relationship with the GDPR | Indirect: improves the technical security the GDPR requires | Direct: covers the guarantees of the data processor (Art. 28 GDPR) |
| Is it certifiable? | Yes, as an extension of ISO 27001 | Yes, as an extension of ISO 27001 |
| Current version | ISO/IEC 27017:2015 | ISO/IEC 27018:2025 |
| Type of data protected | All information assets in the cloud | Exclusively personal data (PII) |
Are they certifiable? How do they work with ISO 27001?
Here comes the most common question: neither standard can be certified independently. Both operate as extensions of ISO 27001. The usual process is:
- The organisation implements ISO 27001 as a foundation (Information Security Management System, ISMS).
- On top of that ISMS, the additional controls of ISO 27017, ISO 27018 or both are incorporated.
- The accredited certification body (AENOR, Bureau Veritas, SGS, BSI or others accredited by the relevant national accreditation body) issues an ISO 27001 certificate that explicitly mentions the cloud extensions applied in its scope.
Some bodies issue combined certificates of the type "ISO 27001:2022 + ISO 27017:2015 + ISO 27018:2019". This is especially common in SaaS providers or in companies that want to stand out to customers in the public sector, finance or healthcare.
If your company already holds a valid ISO 27001, extending it to ISO 27017 and ISO 27018 does not require repeating the entire process from scratch. It involves a gap analysis of current controls, the incorporation of any missing cloud controls and an extension audit. The effort is significantly less than a first-time certification.
If you do not yet have ISO 27001, our ISO 27001 implementation service is the natural starting point: we build it from the ground up, taking cloud requirements into account so that the extension to ISO 27017 and ISO 27018 is a straightforward step rather than a separate project.
Who should certify ISO 27017 and ISO 27018
Not every organisation needs these certifications, but there are profiles for which they are almost indispensable:
SaaS, IaaS or PaaS service providers
If your business is providing infrastructure or software as a service, ISO 27017 is the proof your corporate customers will ask for before signing a contract. Large accounts — public administrations, banks, healthcare, regulated industries — already include ISO 27017 certification in their tender requirements, either as a mandatory criterion or as a scoring factor.
Companies that outsource the processing of personal data
If your CRM, email marketing platform, ERP or HR management system runs in the cloud and processes data about natural persons (employees, customers, patients), ISO 27018 at the provider level is the technical guarantee that the GDPR requires you to verify. A signed data processing agreement is not enough: you need evidence that the controls are actually being applied.
Companies with customers in regulated sectors
Healthcare (national data protection law, NIS2), financial services (DORA, PSD2), the public sector (national security schemes) and defence require levels of assurance that go beyond basic ISO 27001. ISO 27017 and ISO 27018 cover a large part of that gap and facilitate cross-compliance.
Companies seeking commercial differentiation
Certification is visible. Publishing it on your website, in your proposals and in your contracts reduces sales friction with buyers who have security checklists. In sectors where several providers hold ISO 27001, the one that adds 27017 and 27018 starts with an advantage.
How the implementation process works: practical stages
The path from decision to certificate has well-defined phases. At Summum we accompany the entire journey, without delegating the technical or documentary work to the client:
1. Baseline diagnosis (cloud gap analysis)
We map the inventory of cloud services used by the organisation (IaaS, PaaS, SaaS), identify the personal data flows that pass through those services and compare current controls against those required by ISO 27017 and ISO 27018. The result is an action plan prioritised by risk.
2. Scope design and cloud security policy
We define which cloud services fall within the certification scope, document shared responsibilities with each provider and update the security policy to reflect the real hybrid or multi-cloud environment.
3. Control implementation
We apply the seven exclusive controls of ISO 27017 and the privacy procedures of ISO 27018: secure data deletion procedure at contract end, breach notification protocol, privileged access management in virtualised environments, cloud network segmentation and consolidated activity logs between provider and customer.
4. Internal audit and management review
We verify internally that the controls are working before exposing the system to an external audit. We identify and close minor deviations. Management reviews and approves the extended system.
5. Certification audit
The accredited body carries out Stage 1 (documentary review) and Stage 2 (on-site verification). If there are no major non-conformities, it issues the certificate with the defined cloud scope.
If you already hold ISO 27001, the process is condensed: the gap analysis is more agile, the base documentation already exists and the external audit can be approached as a scope extension audit. In many cases, the total time from start to certificate is between three and six months.
You can find more information about our specific service on the ISO 27017 and ISO 27018 implementation and certification page, where we detail the scope, the phases and the company profiles that benefit most.
ISO 27017 and ISO 27018 in the 2025-2026 regulatory landscape
The regulatory environment has changed significantly in the past two years and reinforces the relevance of these standards:
- DORA (Digital Operational Resilience Act): in force since January 2025 for EU financial entities. It requires rigorous management of risks from third-party ICT providers, including cloud providers. ISO 27017 covers a large part of the digital operational resilience controls that DORA requires.
- NIS2 (EU Directive 2022/2555): transposed in Spain through the Cybersecurity Coordination Act (in the legislative process during 2025). It requires essential and important entities to implement cybersecurity risk management measures, with particular attention to the digital supply chain — including cloud providers.
- National Security Scheme (ENS): Royal Decree 311/2022 applies to systems that handle information belonging to Spanish public administrations. ISO 27017 and ISO 27018 are recognised technical references for accrediting controls in cloud environments used by public bodies or their suppliers.
- EU AI Act: in phased application from 2024 to 2027. High-risk AI systems that process personal data must meet privacy and security requirements that ISO 27018 helps accredit when the system runs in the cloud.
The picture is clear: if your company operates in the cloud and serves regulated customers or the public administration, ISO 27017 and ISO 27018 cease to be optional and become a condition of market access.
Frequently asked questions
Can I certify ISO 27017 or ISO 27018 without having ISO 27001?
No. Both standards are extensions of ISO 27001 and require the base Information Security Management System (ISMS) to be implemented and certified. ISO 27001 establishes the management framework, the controls, the internal audits and the management reviews on which the additional cloud controls rely. Without that foundation, certification is not possible. If you are starting from zero, the project begins with ISO 27001 and integrates cloud requirements from the outset so that the extension to 27017 and 27018 is part of the same effort, not a subsequent project.
Does ISO 27018 equal GDPR compliance?
It does not equal it, but it complements it. ISO 27018 is not a regulatory compliance certification in the GDPR sense; national supervisory authorities do not recognise it as a substitute for legal obligations. What it does do is provide audited technical evidence that the cloud provider applies privacy controls aligned with the principles of the GDPR (minimisation, purpose limitation, right to erasure, breach notification). That evidence greatly facilitates the due diligence required by Article 28 of the GDPR when the client must demonstrate that it has chosen a data processor with sufficient guarantees.
How long does the process take if we already have ISO 27001?
It depends on the number of cloud services in scope and the maturity level of current controls, but the typical range is between three and six months. The initial gap analysis usually takes two to four weeks; the implementation of additional controls, between six and ten weeks; and the external audit is scheduled once the system is stable. The factor that shortens the timeline most is having the cloud architecture and provider contracts well documented. If that documentation does not exist, generating the service inventory and shared responsibility matrices takes time before controls can be addressed.
Major cloud providers like Azure or AWS already hold these certifications. Do I benefit automatically?
Microsoft Azure, Amazon Web Services and Google Cloud hold ISO 27017 and ISO 27018 certifications on their infrastructure. However, that only covers the provider's responsibility under the shared responsibility model. The application layer, access configuration, identity management, backups and the personal data processing that your organisation carries out on top of that infrastructure remain your responsibility. Using Azure with ISO 27017 does not automatically make your organisation ISO 27017 certified: you need to demonstrate that you also apply the controls that fall to you as a cloud customer (CSC). That is exactly the gap where Summum works.