ISO Steering Committee 27 (SC27) oversees the world of information security, cybersecurity, and privacy protection. SC27, and all of the applicable standards, which can be found here. There are 5 working groups (WGs):

WG 1: Information Security Management Systems

WG 2: Cryptography and Security Mechanisms

WG 3: Security Evaluation, Test, and Specifications

WG 4: Security Controls and Services

WG 5: Identify Management and Privacy Technologies

NOTE: PROCESS 360 is a voting member of the U.S. Technical Advisory Group (TAG), which drafts, approves, and updates the full suite of SC27 standards. The Company is a member of all 5 working groups.

ISO 27001 was revised in October 2022, which triggered cascading updates for a number of aligned ISO publications. Two of those publications are ISO 27017 Security Techniques — Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services, along with ISO 27018 Information Security, Cybersecurity and Privacy Protection — Guidelines for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors. Both of these publications explain the recommended bifurcation of roles and responsibilities when systems are implemented in a cloud services environment.

ISO 27017 was last published in 2015. The new revision is currently in the Draft International Standard (DIS) stage, and is expected to be published before the end of 2026, some 4 years after ISO 27001:2022 was published. The new edition will be renamed to Information Security, Cybersecurity and Privacy Protection — Information Security Controls Based on ISO/IEC 27002 for Cloud Services. Of note, the new edition of ISO 27017 will bring the alignment of IOS 27001 Annex A controls into alignment with the 2022 version, and revise the extended cloud (CLD) controls published in a separate Annex of ISO 27017.

ISO 27018 has already been updated (August 2025), and incorporates the recent changes to ISO 29100:2024 Security Techiques - Privacy Framework.

NOTE: To better understand and interpret both of these standards, consider the ISO 27036-series, especially ISO 27036-4 Security Techniques - Information Security for Supplier Relationships, Part 4: Guidelines for Security of Cloud Services.