ISO/IEC 27017 and 27018

Why the Extensions Exist#

ISO 27001 is technology-agnostic by design. Its Annex A controls are written so they apply to any organisation regardless of whether it runs an on-premises data centre, a fleet of SaaS apps, or a public cloud. That generality is a strength but also a gap — cloud-specific issues (shared responsibility, multi-tenancy, customer-managed keys) and PII-in-cloud issues (sub-processor transparency, data subject rights, return of data on exit) are not addressed in depth.

ISO 27017 and ISO 27018 close the gap. They are 'codes of practice' — not separate certifiable standards — that extend or refine ISO 27002 guidance for the cloud context.

ISO/IEC 27017 — Cloud Services Controls#

ISO 27017 was first published in 2015. It does two things:

• Provides additional implementation guidance for existing ISO 27002 controls in a cloud context.
• Introduces a small number of new cloud-specific controls (CLD-prefixed) covering shared roles and responsibilities, removal of cloud-service-customer assets, segregation in virtual computing environments, virtual-machine hardening, administrator operational security, monitoring of cloud services, and alignment of security management for virtual and physical networks.

ISO/IEC 27018 — PII in Public Clouds#

ISO 27018, first published in 2014 and revised in 2019, is targeted specifically at public-cloud providers acting as PII processors (i.e. handling personal data on behalf of customers). It provides:

• Additional guidance for ISO 27002 controls in a PII-processor context.
• A set of new PII-specific controls — purpose limitation, sub-processor transparency, geographic-location notice, customer return of PII on contract end, prohibition on using PII for marketing without consent.

How They Are Audited#

Neither standard is certifiable on its own. The standard practice is:

• Add 27017 and 27018 controls to the Statement of Applicability of the ISO 27001 ISMS.
• Extend the audit scope so the certification body assesses the additional guidance.
• Receive a certificate that mentions ISO 27001 + 27017 + 27018 as the certified scope.

Relationship to GDPR and Schrems II#

ISO 27018 controls map directly onto GDPR Article 28 (processor obligations) and Article 32 (security of processing) requirements. Implementing 27018 well does not by itself prove GDPR compliance, but it provides much of the operational evidence that auditors and regulators expect to see.

Post-Schrems II, the 27018 control around informing customers of the geographical locations of PII processing is particularly important — it is one of the inputs into a Transfer Impact Assessment.

When To Bundle Them#

• Your cloud service holds personal data on behalf of customers — bundle 27018.
• You sell into EU / UK markets and customers ask about cloud-specific controls — bundle 27017.
• You are pursuing EUCS Substantial — both are effectively required input.
• You already hold ISO 27001 — the incremental cost of adding 27017+27018 to the audit is modest.

Where Yobitel Sits#

Yobitel maintains ISO 27001 + 27017 + 27018 as the integrated certified scope. The PII-processor controls in 27018 are the basis for our Data Processing Agreement structure, sub-processor disclosure cadence, and customer-managed key options.