ISO 27001, 27017, and 27018: Understanding the Differences

Organizations that operate cloud services or process personal data in public cloud environments frequently encounter requests for ISO 27017 and ISO 27018 certifications alongside ISO 27001. Understanding how these three standards relate -- and how to implement them efficiently -- is the difference between a streamlined compliance program and one that burns budget on redundant effort. Here is how we advise clients to think about these standards and when each one matters.

Most security and compliance teams are familiar with ISO 27001 as the international gold standard for information security management. Fewer understand that ISO 27017 and ISO 27018 were designed as purpose-built extensions that address gaps ISO 27001 was never intended to cover on its own: cloud-specific security controls and personally identifiable information protection in public cloud environments. This guide breaks down each standard, explains which industries benefit from each, and provides a practical roadmap for implementing them together.

ISO 27001: The Foundation

ISO 27001 establishes the requirements for an information security management system (ISMS). It is the base layer upon which both ISO 27017 and ISO 27018 are built. Without an ISO 27001-certified ISMS, neither extension can be pursued.

What ISO 27001 Covers

ISO 27001 is organized around a management system framework (Clauses 4 through 10) and a set of reference controls in Annex A. The 2022 revision reorganized Annex A into four themes:

Theme	Number of Controls	Focus Areas
Organizational	37	Policies, roles, asset management, supplier relationships
People	8	Screening, awareness, training, disciplinary process
Physical	14	Perimeters, entry controls, equipment security
Technological	34	Access control, cryptography, logging, network security

The standard is intentionally technology-agnostic. It applies equally to on-premises data centers, hybrid environments, and fully cloud-native architectures. This generality is a strength for broad applicability but leaves gaps when it comes to cloud-specific risks and PII processing obligations.

For a detailed walkthrough of ISO 27001 requirements, see our ISO 27001 requirements checklist.

Why ISO 27001 Alone Is Not Enough for Cloud Providers

ISO 27001 does not prescribe how shared responsibility models should work between cloud providers and customers. It does not address multi-tenancy isolation, virtual machine hardening, or cloud-specific data deletion requirements. Organizations that provide cloud services or process PII in public cloud environments will find that ISO 27001 leaves these critical areas to interpretation -- which is exactly why ISO 27017 and ISO 27018 exist.

ISO 27017: Cloud-Specific Security Controls

ISO 27017 (formally ISO/IEC 27017:2015) provides guidelines for information security controls applicable to the provision and use of cloud services. It is structured as supplementary guidance to ISO 27002 controls, with additional controls unique to cloud environments.

What ISO 27017 Adds

ISO 27017 does two things. First, it provides cloud-specific implementation guidance for existing ISO 27002 controls. Second, it introduces seven new controls that have no equivalent in ISO 27002:

Control	Description	Applies To
CLD.6.3.1	Shared roles and responsibilities in cloud computing	Provider and Customer
CLD.8.1.5	Removal of cloud service customer assets	Provider
CLD.9.5.1	Segregation in virtual computing environments	Provider
CLD.9.5.2	Virtual machine hardening	Provider
CLD.12.1.5	Administrator's operational security	Provider
CLD.12.4.5	Monitoring of cloud services	Customer
CLD.13.1.4	Alignment of security management for virtual and physical networks	Provider

Key Concepts in ISO 27017

Shared responsibility clarity. The standard requires explicit documentation of which security responsibilities belong to the cloud service provider and which belong to the cloud service customer. In our experience, this is the single most valuable aspect of 27017 -- it forces organizations to define the boundaries that are often left ambiguous.

Multi-tenancy controls. ISO 27017 requires that cloud providers demonstrate adequate isolation between tenants at the compute, storage, and network layers. This goes well beyond what ISO 27001 Annex A addresses.

Virtual environment hardening. The standard requires specific controls for virtual machine images, hypervisor security, and virtual network configurations. These are areas where cloud-specific threats differ fundamentally from traditional IT security concerns.

Who Needs ISO 27017

• Cloud service providers (IaaS, PaaS, SaaS) serving enterprise customers who require assurance about cloud-specific controls
• Managed service providers operating customer workloads in cloud environments
• Organizations seeking FedRAMP or government cloud contracts where cloud-specific controls are scrutinized
• Companies differentiating in competitive cloud markets where ISO 27017 signals maturity beyond baseline ISO 27001

ISO 27018: PII Protection in Public Clouds

ISO 27018 (formally ISO/IEC 27018:2019) establishes controls for protecting personally identifiable information in public cloud computing environments. Where ISO 27017 focuses on cloud security broadly, ISO 27018 focuses narrowly on privacy obligations when acting as a PII processor.

What ISO 27018 Adds

ISO 27018 augments ISO 27002 controls with PII-specific guidance and introduces additional controls derived from privacy principles:

Privacy Principle	Key Requirements
Consent and choice	Process PII only as instructed by the customer; obtain consent for any additional processing
Purpose limitation	Do not use PII for marketing or advertising unless expressly instructed
Data minimization	Limit temporary file and document creation; define retention and deletion policies
Openness and transparency	Disclose sub-processor use; notify customers of government data access requests
Individual participation	Support customers in fulfilling data subject access requests
Accountability	Establish breach notification procedures with defined timelines

ISO 27018 Controls Beyond ISO 27002

ISO 27018 introduces several controls that address cloud PII processor-specific obligations:

• Sub-processor management. Cloud providers must disclose all sub-processors, provide advance notice of changes, and ensure contractual flow-down of PII protection obligations.
• Data return and deletion. The standard requires that providers define and implement processes for returning PII to customers and securely deleting it upon contract termination. This includes deletion from backups within a defined timeframe.
• Government access disclosure. Providers must notify customers when they receive legally binding requests for PII disclosure, except where prohibited by law.
• Geographic transparency. Organizations must disclose the countries in which PII may be stored or processed.

Who Needs ISO 27018

• SaaS companies processing customer end-user data including names, emails, behavioral data, or any other PII
• Cloud infrastructure providers hosting workloads that contain PII on behalf of customers
• Healthcare technology companies processing protected health information in cloud environments
• Fintech and adtech companies where PII processing is core to the business model
• Any organization subject to GDPR that acts as a data processor and wants to demonstrate compliance through a recognized certification

How the Three Standards Work Together

The relationship between these three standards is hierarchical, not lateral. ISO 27001 is the foundation. ISO 27017 and ISO 27018 are extensions that build on it.

The Extension Model

ISO 27001 (ISMS Foundation)
├── ISO 27017 (Cloud Security Extension)
└── ISO 27018 (Cloud PII Protection Extension)

Both extensions reference and augment the same Annex A control set from ISO 27001. This means implementing one extension creates significant scaffolding for the other. In practice, we see three common implementation patterns:

Pattern	Timeline	Best For
ISO 27001 only	6-12 months	Organizations without cloud-specific or PII obligations
ISO 27001 + 27017	8-14 months	Cloud providers not processing significant PII
ISO 27001 + 27017 + 27018	9-16 months	Cloud providers processing PII (most SaaS companies)

Control Overlap Between ISO 27017 and ISO 27018

A significant portion of the implementation effort for one extension carries over to the other. Both standards build on the same ISO 27002 control framework and share common themes:

• Access control enhancements appear in both standards with cloud-specific and PII-specific guidance
• Logging and monitoring requirements overlap, with 27017 focusing on cloud operations and 27018 focusing on PII access
• Asset management receives supplementary guidance in both standards regarding cloud and PII assets
• Supplier and sub-processor management is addressed from complementary angles

What we tell clients is that if you are implementing ISO 27017, adding ISO 27018 typically requires only 20 to 30 percent additional effort beyond what you have already done -- assuming you process PII and have already thought through your data handling practices.

Industry-Specific Guidance

SaaS Companies

Most B2B SaaS companies should pursue all three standards. Your customers are asking for ISO 27001 as baseline assurance, ISO 27017 because you are delivering a cloud service, and ISO 27018 because you are processing their end-users' data. The combined certification sends a clear signal to enterprise procurement teams that you take cloud security and data protection seriously.

Cloud Infrastructure Providers

IaaS and PaaS providers should prioritize ISO 27001 plus ISO 27017. Whether you also need ISO 27018 depends on whether you have access to customer PII. If your service model means you never access customer data (true infrastructure-only), ISO 27018 may not apply. However, if you provide any managed services that involve data access, ISO 27018 becomes relevant.

Financial Services Technology

Fintech companies operating in cloud environments face scrutiny from both financial regulators and enterprise bank customers. The combination of ISO 27001, ISO 27017, and ISO 27018 aligns well with regulatory expectations and dramatically simplifies vendor due diligence conversations. This is particularly true for companies expanding into European markets where ISO-family certifications carry more weight than SOC 2 reports.

Healthcare Technology

Health-tech companies processing PHI in cloud environments benefit from the full stack. ISO 27018's PII controls align closely with HIPAA's privacy and security requirements, and the certification provides international credibility that HIPAA compliance alone does not offer.

Implementation Roadmap

Phase 1: Establish the ISO 27001 ISMS (Months 1-6)

1. Define the ISMS scope, including all cloud services and PII processing activities
2. Conduct risk assessment covering cloud-specific and PII-specific threat scenarios
3. Implement Annex A controls with an eye toward future 27017 and 27018 requirements
4. Build the management system documentation: policies, procedures, and records
5. Conduct internal audit and management review
6. Achieve ISO 27001 certification

For details on certification costs, see our ISO 27001 certification cost guide.

Phase 2: Add ISO 27017 and ISO 27018 Extensions (Months 7-10)

1. Perform a gap analysis against ISO 27017 and ISO 27018 control requirements
2. Update the Statement of Applicability to include extension-specific controls
3. Implement additional controls:
   • Document shared responsibility model (27017)
   • Implement multi-tenancy isolation evidence (27017)
   • Establish PII processing agreements (27018)
   • Build sub-processor management program (27018)
   • Create data return and deletion procedures (27018)
4. Update risk assessment to cover cloud-specific and PII-specific risks identified by the extensions
5. Conduct internal audit covering the extended scope
6. Schedule surveillance or extension audit with your certification body

Phase 3: Ongoing Maintenance

• Integrate extension requirements into your annual surveillance audit cycle
• Update shared responsibility documentation as cloud architecture evolves
• Review sub-processor changes quarterly
• Include cloud-specific and PII-specific scenarios in your incident response testing

Reducing Audit Overhead with Combined Certification

One of the most practical benefits of implementing these standards together is audit efficiency. Certification bodies that are accredited for all three standards can conduct combined audits, which means:

• Single audit team familiar with your entire ISMS and its extensions
• Shared evidence collection for overlapping controls rather than duplicating documentation requests
• Combined surveillance audits that cover ISO 27001, 27017, and 27018 in a single annual visit
• Reduced total audit days -- typically 30 to 40 percent fewer audit days than separate assessments

In our experience, organizations that plan for all three standards from the outset spend significantly less on total audit fees over a three-year certification cycle compared to those that add extensions reactively.

Common Mistakes to Avoid

Treating extensions as separate projects. ISO 27017 and ISO 27018 should be integrated into your existing ISMS, not bolted on as parallel compliance programs. This means updating your risk assessment, Statement of Applicability, and internal audit program rather than creating separate documentation.

Ignoring the shared responsibility model. The single most common finding in ISO 27017 audits is inadequate documentation of which security controls are the provider's responsibility and which are the customer's. This documentation must be specific, not generic.

Overlooking sub-processor obligations. ISO 27018 requires transparency about sub-processors. Many organizations discover late in the implementation that they have undocumented sub-processing relationships that need to be disclosed and contractually managed.

Selecting a certification body that cannot audit all three standards. Not all certification bodies are accredited for ISO 27017 and ISO 27018. Verify accreditation before engaging your auditor to avoid having to switch certification bodies or manage multiple audit relationships.

Strategic Value Beyond Compliance

Pursuing the ISO 27001, 27017, and 27018 stack is not just about checking boxes. It provides tangible business value:

• Enterprise sales acceleration. The combined certification answers the most common security questionnaire topics in a single artifact. When a prospect asks about cloud security controls and PII handling, you point to your certificate rather than writing custom responses.
• Regulatory alignment. ISO 27018 maps closely to GDPR processor obligations, CCPA service provider requirements, and other privacy regulations. The certification provides evidence of compliance that regulators recognize.
• Competitive differentiation. While ISO 27001 is increasingly common, the addition of 27017 and 27018 remains relatively rare. It signals a level of security maturity that sets you apart from competitors who hold only the base certification.
• Reduced questionnaire burden. Organizations with all three certifications report 40 to 60 percent reductions in time spent completing vendor security assessments.

If you are evaluating whether to pursue ISO 27001 alongside or instead of SOC 2, see our guide on SOC 2 vs ISO 27001 for a detailed comparison of both frameworks and when each makes sense as a first certification.

Conclusion

ISO 27001, ISO 27017, and ISO 27018 form a coherent stack for cloud service providers and organizations processing PII in public cloud environments. ISO 27001 provides the foundational management system. ISO 27017 adds the cloud-specific security controls that enterprise customers and regulators expect. ISO 27018 addresses the PII protection obligations that privacy regulations demand. Implementing them together -- rather than sequentially as separate initiatives -- is the most cost-effective path and delivers the strongest trust signal to your market.