TL;DR 

ISO 27017 and 27018 are cloud-focused extensions of ISO 27001.

27017 = security controls for shared-responsibility in cloud infra (CSPs + customers).

27018 = how to handle personal data (PII) in public cloud.

No separate certs—usually reviewed during ISO 27001 audits. Strong signal for GDPR alignment and secure cloud practices.

ISO 27017 / 27018 Scorecard Summary:

• Developer Effort: Moderate (Requires understanding cloud responsibilities, implementing specific cloud security configurations, and potentially building features for PII management/rights if applicable). Effort is additive to ISO 27001.
• Tooling Cost: Minimal incremental cost over ISO 27001 (Uses existing ISO 27001 tooling; costs relate mainly to implementing specific controls like enhanced monitoring or encryption if not already present).
• Market Impact: High (Especially for CSPs and companies heavily using cloud; ISO 27018 is key for demonstrating cloud PII protection relevant to GDPR).
• Flexibility: Moderate (Provides specific guidance and controls within the flexible ISO 27001 framework).
• Audit Intensity: Assessed as part of High-intensity ISO 27001 audit (Adds specific areas for auditors to scrutinize related to cloud and PII).

What are ISO 27017 / 27018?

ISO/IEC 27017 and ISO/IEC 27018 are international standards within the ISO 27000 family, providing sector-specific guidance for cloud computing. They build upon the general framework and controls found in ISO 27001 and ISO 27002 (which provides implementation guidance for Annex A controls).

• ISO/IEC 27017:2015 (Code of practice for information security controls based on ISO/IEC 27002 for cloud services):
  
  • Provides guidance on 37 controls in ISO 27002 specifically relevant to cloud security.
  • Introduces 7 new cloud-specific controls not present in ISO 27002, covering areas like shared roles and responsibilities, monitoring cloud services, virtual machine hardening, and asset removal for customers.
  • Clarifies the roles and responsibilities between the Cloud Service Provider (CSP) and the Cloud Service Customer (CSC) for implementing each control.
  • Focuses broadly on information security management in the cloud.
• ISO/IEC 27018:2019 (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors):
  
  • Focuses specifically on protecting PII processed by public CSPs.
  • Establishes objectives and provides guidance for implementing controls to meet PII protection requirements.
  • Addresses principles like consent and choice, purpose legitimacy, data minimization, limiting use/retention/disclosure, accuracy, security safeguards, transparency, and accountability for PII processors.
  • Aligns closely with privacy regulations like GDPR.
  • Its controls largely extend existing ISO 27002 controls with specific interpretations for PII protection in the cloud.

Critically, neither ISO 27017 nor ISO 27018 are management system standards like ISO 27001. You don't get certified to 27017 or 27018 directly. Instead, you implement their guidance within an ISO 27001-compliant Information Security Management System (ISMS), and an auditor assesses your implementation of these specific controls during your ISO 27001 audit.

Why are they Important?

While extensions of ISO 27001, ISO 27017 and ISO 27018 are vital for organizations using or providing cloud services:

• Clarifies Cloud Responsibilities: ISO 27017 specifically addresses the often-murky shared responsibility model in the cloud, helping both CSPs and customers understand who is responsible for which security controls.
• Builds Trust in Cloud Services: Demonstrating alignment with these standards assures customers that a CSP follows best practices for cloud security (ISO 27017) and PII protection (ISO 27018).
• Addresses Specific Cloud Risks: ISO 27017 provides guidance tailored to cloud-specific threats and vulnerabilities (e.g., virtualization security, customer environment segregation).
• Supports Privacy Compliance (GDPR, etc.): ISO 27018 provides a clear framework for CSPs to meet processor obligations under GDPR and other privacy laws, focusing on transparency, consent, and data subject rights related to PII.
• Competitive Advantage: For CSPs, demonstrating adherence (often via inclusion in an ISO 27001 audit scope) is a significant market differentiator, especially when dealing with regulated industries or privacy-conscious customers.
• Enhanced Security Posture: Implementing the additional controls and guidance genuinely strengthens security and privacy practices in the cloud environment.

They essentially translate the broader principles of ISO 27001/27002 into the specific context of cloud computing and PII processing within it.

What and How to Implement (Technical & Policy)

Implementation happens within an existing or planned ISO 27001 ISMS:

1. Scope Definition (as part of ISO 27001): Ensure your ISMS scope clearly includes the cloud services you provide or consume.
2. Risk Assessment (as part of ISO 27001): Specifically identify cloud-related risks (using ISO 27017 guidance) and PII processing risks in the cloud (using ISO 27018 guidance).
3. Control Selection (Statement of Applicability - SoA):
   
   • Review the ISO 27002 controls through the lens of ISO 27017, considering the cloud-specific guidance for both CSPs and CSCs.
   • Implement the 7 new controls from ISO 27017 if applicable based on risk (e.g., defining shared responsibilities, VM hardening).
   • Review ISO 27002 controls through the lens of ISO 27018 if processing PII as a public CSP, implementing the extended control objectives (e.g., around consent, data minimization, transparency, user rights).
   • Update your SoA to reflect the applicability and implementation status of these cloud-specific controls.
4. Implement Technical & Policy Controls:
   
   • ISO 27017 examples:
     
     • Clearly document shared responsibilities with your CSP/customer (A.6.1.1 guidance).
     • Implement procedures for asset removal/return when terminating a cloud service (A.8.3.1 guidance, new control CLD.6.3.1).
     • Segregate virtual environments (A.13.1.3 guidance, new control CLD.9.5.1).
     • Harden virtual machine images (new control CLD.9.5.2).
     • Define and implement specific cloud user security monitoring (A.12.4.1 guidance).
   • ISO 27018 examples (for CSPs processing PII):
     
     • Commit contractually not to process PII for purposes other than instructed by the customer (A.18.1.4 guidance).
     • Maintain transparency about sub-processors handling PII (A.15.1.1, A.15.1.2 guidance).
     • Implement mechanisms to support customer compliance with data subject rights (access, correction, erasure) (A.18.1.4 guidance).
     • Securely delete or return PII upon contract termination (A.8.3.1, A.11.2.7 guidance).
     • Encrypt PII transmitted over public networks (A.13.2.1, A.13.2.3 guidance).
     • Implement data breach notification procedures specific to PII (A.16.1 guidance).
5. Training & Awareness: Ensure relevant staff understand cloud security responsibilities (ISO 27017) and PII protection duties (ISO 27018).
6. Auditing: Include the implemented ISO 27017 / ISO 27018 controls within the scope of your internal and external ISO 27001 audits.

The focus is on applying specific cloud and PII protection lenses to your existing ISMS controls.

Common Mistakes to Avoid

Common errors when dealing with ISO 27017 / 27018:

1. Treating them as Standalone Certifications: They are codes of practice supplementing ISO 27001, not independent certifications.
2. Ignoring ISO 27001 Foundation: Trying to implement 27017/27018 controls without a proper ISO 27001 ISMS in place (risk assessment, SoA, etc.).
3. Not Defining Scope Correctly: Failing to include relevant cloud services or PII processing activities within the ISMS scope.
4. Overlooking Shared Responsibility (ISO 27017): Assuming the CSP handles everything, or failing to clearly document responsibilities between provider and customer.
5. Insufficient Focus on PII (ISO 27018): For CSPs, not fully understanding or implementing the specific requirements for consent, transparency, data subject rights support, and limitations on PII use.
6. Lack of Technical Implementation: Treating the guidance purely as policy without implementing the necessary technical controls (e.g., encryption, access controls, secure configurations specific to the cloud environment).
7. Forgetting the Customer Role (ISO 27017): Cloud customers also have responsibilities defined in ISO 27017; it's not just for providers.

What Auditors Will Ask (Developer Focus)

During an ISO 27001 audit that includes ISO 27017 / 27018 in scope, auditors might ask questions related to cloud operations and PII handling:

• (27017) "How do you ensure secure configuration and hardening of virtual machine images deployed in the cloud?" (CLD.9.5.2)
• (27017) "Show me the documentation defining security responsibilities between you (as customer/provider) and your cloud provider/customer." (A.6.1.1 guidance)
• (27017) "How do you monitor security events specifically within your cloud environment?" (A.12.4.1 guidance)
• (27017) "What procedures are in place for securely removing your data/assets upon terminating the cloud service?" (CLD.6.3.1)
• (27018 - for CSPs) "How does your system support your customer's ability to respond to data subject access or erasure requests for PII you process?" (A.18.1.4 guidance)
• (27018 - for CSPs) "How do you ensure PII is not used for marketing/advertising without explicit consent?" (Purpose limitation principle)
• (27018 - for CSPs) "What cryptographic techniques are used to protect PII in transit and at rest within your cloud service?" (A.10.1 / A.13.2.1 guidance)
• (27018 - for CSPs) "How do you inform customers about sub-processors involved in handling their PII?" (A.15.1.1 / A.15.1.2 guidance)

They will look for evidence that the specific cloud and PII protection guidance has been considered and implemented within the ISMS.

Quick Wins for Development Teams

Aligning with ISO 27017 / 27018 principles can start here:

1. Understand Your Cloud Provider's Role (ISO 27017): Review your CSP's shared responsibility model documentation. Know what security they handle vs. what you need to handle in the application/configuration layer.
2. Harden VM/Container Images (ISO 27017): Use minimal base images, remove unnecessary services, and apply security configurations before deployment. (Relates to CLD.9.5.2)
3. Leverage Cloud Security Tools (ISO 27017): Utilize built-in cloud provider tools for monitoring, access control (IAM), and configuration management (like AWS Config, Azure Policy).
4. Map PII Data Flows (ISO 27018): If handling PII, understand exactly where it enters, how it's processed, where it's stored, and who accesses it within your cloud application.
5. Encrypt PII (ISO 27018): Prioritize encrypting PII both in transit (TLS) and at rest (database/storage encryption).
6. Plan for Data Subject Rights (ISO 27018): When designing features involving PII, consider how you would technically retrieve, correct, or delete that specific user's data if requested.

Ignore This And... (Consequences of Failing)

Since ISO 27017 / 27018 are assessed within an ISO 27001 audit, "failure" typically means receiving non-conformities during that audit:

• ISO 27001 Audit Failure: Major non-conformities related to unimplemented 27017/27018 controls (if in scope) can jeopardize your ISO 27001 certification itself, leading to suspension or failure to certify.
• Loss of Trust: Failing to demonstrate adherence to cloud security (ISO 27017) or PII protection (ISO 27018) best practices damages trust with customers and partners relying on your cloud services.
• Contractual/Market Issues: Inability to meet contractual requirements that specify adherence to these standards, potentially losing deals or market access.
• Increased Risk: Ignoring the guidance means potentially missing crucial cloud-specific security controls or PII protection measures, increasing the risk of breaches or privacy violations.
• Regulatory Non-Compliance: For ISO 27018, failing to implement its PII protection guidance could contribute to non-compliance with regulations like GDPR, leading to fines and legal action.

FAQ

Can I get certified directly to ISO 27017 or ISO 27018?

No. They are codes of practice, not management system standards. Compliance is assessed as part of an ISO 27001 certification audit where these standards are included in the scope.

Do I need both ISO 27017 and ISO 27018?

Not necessarily. ISO 27017 is relevant for almost any organization using or providing significant cloud services. ISO 27018 is specifically relevant for public Cloud Service Providers that process Personally Identifiable Information (PII) on behalf of their customers. If you are a CSP handling PII, you'd likely consider both. If you are a cloud customer not processing significant PII in the cloud, only ISO 27017 might be relevant.

How do ISO 27017/27018 relate to ISO 27001?

They are extensions providing detailed implementation guidance for specific ISO 27001/27002 controls in the context of cloud computing (ISO 27017) and cloud PII protection (ISO 27018). You need an ISO 27001 ISMS as the foundation.

Is ISO 27017 only for Cloud Service Providers (CSPs)?

No. ISO 27017 provides guidance for both Cloud Service Providers (CSPs) and Cloud Service Customers (CSCs), clarifying responsibilities for each party.

Is ISO 27018 only for Cloud Service Providers (CSPs)?

Primarily, yes. ISO 27018 focuses on the requirements for CSPs acting as PII processors. Cloud customers (PII controllers) might use it to help evaluate CSPs, but the implementation burden falls mainly on the provider.

Does implementing ISO 27018 make me GDPR compliant?

Not automatically, but it helps significantly. ISO 27018 provides a strong framework for CSPs to meet many GDPR requirements related to processing PII (Article 28 obligations), such as security, transparency, sub-processing, and assisting with data subject rights. It's a valuable tool for demonstrating GDPR alignment for cloud PII processing.

How are these audited?

An accredited certification body performs an ISO 27001 audit. If ISO 27017 / 27018 are included in your ISMS scope and Statement of Applicability, the auditor will assess your implementation of the relevant controls and guidance from these standards during the ISO 27001 audit process.