Library

What is ISO 27017 & ISO 27018?

Cloud security and privacy have become non-negotiables for businesses that manage sensitive data or rely on public cloud services. As these risks evolve, so do international standards. ISO/IEC 27017 and ISO/IEC 27018 are two frameworks that specifically address cloud-focused risks—filling critical gaps left by traditional information security management systems (ISMS).

Understanding these standards and how they’ve been used historically helps you future-proof your compliance and strengthen your trust with customers.

What is ISO 27017?

ISO/IEC 27017 provides guidance for cloud service providers (CSPs) and cloud service customers (CSCs) to implement appropriate information security controls in a cloud environment. It supplements, but doesn’t replace, ISO/IEC 27001 or ISO/IEC 27002. Where ISO 27001 lays out the framework for an ISMS, ISO 27017 adds cloud-specific clarity—for example, how to manage virtualization, multi-tenancy, or cloud-specific roles and responsibilities.

Why it matters: ISO 27017 helps build trust between cloud providers and customers by showing that cloud-specific security risks are not just understood—they’re actively managed.

What is ISO 27018?

ISO/IEC 27018 is focused specifically on protecting personally identifiable information (PII) processed in public cloud environments. It applies when a public cloud provider acts as a data processor. The standard establishes detailed privacy principles—like consent, transparency, data minimization, and right to erasure—that are aligned to widely recognized regulatory expectations.

Why it matters: For cloud providers handling regulated or sensitive data, ISO 27018 provides a verifiable framework to demonstrate customer data is processed securely, lawfully, and transparently—critical in a privacy-first world.

How ISO 27017 and ISO 27018 have been adopted historically

ISO 27017 and 27018 have historically been implemented as extensions to an organization’s ISO 27001 certification. Certification bodies offer add-on assessments for these standards, typically conducted during an ISO 27001 audit. Certificates may reference 27017 or 27018 even though they’re technically guidance standards—not certifiable on their own.

Integrated audit approach: The standard audit method follows a two-stage process: Stage 1 evaluates documentation and readiness, while Stage 2 assesses implementation and control effectiveness. Continued compliance is monitored through periodic surveillance.

Cloud-specific evidence: To pass these assessments, organizations must provide evidence such as shared responsibility models, data lifecycle controls, cloud configuration artifacts, and documentation of PII safeguards like secure deletion and administrator activity logging.

Accreditation matters: One common pitfall has been relying on non-accredited bodies to issue 27017 or 27018 certificates. These may not carry weight with customers or procurement teams. Accredited certificates—recognized under international frameworks like the IAF MLA—are essential for credibility.

Common challenges with ISO 27017 and ISO 27018

Even organizations with mature ISMS programs often struggle to fully align with ISO 27017 and 27018. These challenges usually stem from issues of scope, implementation clarity, and inconsistent use of cloud language.

Scoping mismatches create coverage gaps. One of the most frequent issues is defining who is responsible for what within the cloud environment. If your ISMS scope doesn’t clearly distinguish between CSP and CSC responsibilities, audits reveal blind spots. This is especially problematic for SaaS providers or multi-tenant environments.

Shared responsibility is under-documented. ISO 27017 expects clear definitions of shared responsibilities between cloud providers and their customers. Without robust documentation of this division of labor, controls can’t be properly assigned—leaving auditors with unanswered questions.

Privacy requirements are often confused. ISO 27018 is specific to PII processors, but teams sometimes mistake it for broader privacy coverage or confuse it with ISO/IEC 27701. This leads to misaligned controls or omissions in key requirements like purpose limitation or user consent mechanisms.

Accreditation is overlooked. Many companies have unknowingly accepted non-accredited 27017/27018 certificates—only to have them rejected in procurement reviews. The result is lost deals or rushed remediation to regain customer trust.

What to expect by 2026

As cloud risk and privacy regulation grow more complex, ISO 27017 and ISO 27018 are evolving to stay relevant. Updated versions of these standards, aligned with the revised ISO/IEC 27002:2022, will shape audit expectations by 2026.

27017 will adopt stronger alignment to modern cloud architectures. The second edition of ISO/IEC 27017, now in final draft, includes more definitive guidance on virtualization controls, cloud-native infrastructure, and responsibility splits across deployment models. Expect increasing scrutiny on how roles and boundaries are defined in complex deployments.

27018 has already evolved in 2025. The new version of ISO/IEC 27018 (2025) is no longer a general “code of practice.” It aligns directly with ISO/IEC 27002:2022 and provides more prescriptive privacy controls for CSPs acting as processors. It better supports regions with strict legal obligations, such as GDPR, Brazil’s LGPD, or California’s CPRA.

Audit programs will become more seamless but more technical. As the updated standards roll out, audits will expect better linkage between ISMS core controls and cloud-specific implementations. Evidence collection will increasingly rely on automation capabilities—especially for managing CSP configurations, logging, encryption status, and identity controls.

Customers will demand demonstrable cloud and privacy assurance. While ISO 27001 still provides foundational credibility, enterprise customers and regulators will increasingly look for specific proof of cloud control maturity and PII protections. That’s why 27017 and 27018 certifications—verified and up to date—will become key procurement differentiators.

How Thoropass simplifies ISO 27017 and ISO 27018 compliance

Successfully adopting ISO 27017 and ISO 27018 can boost customer trust and audit readiness—but reaching that point can be daunting without the right tools and guidance. That’s where Thoropass delivers critical advantages.

Framework integration streamlines control mapping. Thoropass supports both ISO 27017 (since June 2025) and ISO 27018 by aligning their specific control sets with core ISO/IEC 27001 controls. You avoid duplicative effort while ensuring your ISMS includes the necessary cloud and privacy extensions.

Pre-built templates accelerate implementation. For ISO 27018 in particular, Thoropass offers pre-vetted templates for key documentation, such as Data Processing Agreements (DPAs), Statements of Applicability, and control rationales tailored to processor responsibilities.

Automated evidence collection reduces audit prep. Thoropass integrates with AWS, Azure, and Google Cloud to automatically identify cloud resources and map them to compliance requirements. This improves accuracy in defining scope, responsibilities, and lifecycle controls—major audit pain points in 27017 and 27018.

Asset Intelligence eliminates scope ambiguity. Knowing what you own is fundamental to compliant cloud security. Thoropass’ Asset Intelligence feature auto-discovers cloud assets, monitors configurations, and flags misalignments—all while feeding real-time data into your compliance program.

Auditor collaboration happens inside the platform. Thoropass centralizes auditor communication, versioned documentation, and milestone tracking across frameworks. So whether you’re certifying ISO 27001 with 27017/27018 extensions or preparing for a privacy-specific review, your team—and your auditor—stay aligned and efficient.

Compliance, without slowing you down

ISO 27017 and ISO 27018 offer targeted, essential protections for cloud environments and personal data. But aligning with these frameworks—especially alongside ISO 27001—requires not just effort, but expertise.

Thoropass delivers that expertise through automation, integration, and continuous support. Our platform reduces duplicative work, enables faster implementation of new frameworks, and keeps your organization ready for whatever the audit or market demands next.

Schedule a discovery session today and see how Thoropass can power your ISO 27017 and ISO 27018 journey—with confidence.

Get Started

Products

Thoropass AuditCompliance Automation
PentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Solutions

Get CompliantMaintain ComplianceIT Security AuditsThoropass vs. Audit FirmsThoropass vs. Vanta

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Resources

Case Studies
BlogGuidesEventsGlossaryHelp Center

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Certifications:

Laika Compliance, LLC dba Thoropass Assurance is a licensed certified public accounting firm registered with the American Institute of Certified Public Accountants (AICPA). Thoropass, Inc. dba Thoropass is a leading cybersecurity and compliance professional services and technology firm.

© Copyright 2025 Thoropass, Inc.

Linkedin Logo Streamline Icon: https://streamlinehq.com
X Logo Streamline Icon: https://streamlinehq.com
Video Player 1 Streamline Icon: https://streamlinehq.com