ISO/IEC 27017:2015 — Cloud security
Code of practice for information security controls based on ISO/IEC 27002 for cloud services. Extends ISO 27001 with 7 cloud-specific Annex A controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4) plus enhanced implementation guidance for ~37 existing 27001 controls in cloud contexts. 44 audit-checklist-defensible controls covering policy / governance, shared responsibility, asset and access management, crypto and key custody, operations and monitoring, secure cloud development, supplier governance, incident response, BCP, and compliance. Foundational for cloud certification (paired with ISO 27001 audit). Revision aligned with ISO 27002:2022 is at DIS stage as of May 2026; current 2015 edition remains the published standard.
Composition
44 controls currently indexed; participates in 14 cross-framework synthesis clusters.
Participates in synthesis
Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.
- Board-approved policy framework anchoring derived operational controls (legacy "supplier-policy" cluster name)
- Cloud Identity and Access Management — federation, vulnerability testing, monitoring
- Cloud Security Posture Management — continuous configuration assessment
- Cloud cryptographic key management — CMK/BYOK/HYOK
- Cloud network security — remote access, vulnerability scanning, monitoring
- Cloud shared responsibility — CSC/CSP RACI
- Continuous monitoring of networks, systems, applications, and outsourced development
- Cryptographic controls, key management, and post-quantum readiness
- Network protection — segmentation, monitoring, perimeter, and data leak prevention
- Network segmentation with zero-trust principles
- Privacy governance — legal, regulatory, contractual, and algorithmic obligations
- Privileged access management and access rights lifecycle
- Secure configuration baselines and hardening discipline
- Secure disposal of equipment, media, and personal information