Status Update: ISO 27017 (Cloud Security) & 27018 (Cloud Privacy)

ISO 27001 was revised in October 2022, which triggered cascading updates for a number of aligned ISO publications. Two of those publications are ISO 27017 Security Techniques — Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services, along with ISO 27018 Information Security, Cybersecurity and Privacy Protection — Guidelines for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors. Both of these publications explain the recommended bifurcation of roles and responsibilities when systems are implemented in a cloud services environment.

ISO 27017 was last published in 2015. The new revision is currently in the Draft International Standard (DIS) stage, and is expected to be published before the end of 2026, some 4 years after ISO 27001:2022 was published. The new edition will be renamed to Information Security, Cybersecurity and Privacy Protection — Information Security Controls Based on ISO/IEC 27002 for Cloud Services. Of note, the new edition of ISO 27017 will bring the alignment of IOS 27001 Annex A controls into alignment with the 2022 version, and revise the extended cloud (CLD) controls published in a separate Annex of ISO 27017.

ISO 27018 has already been updated (August 2025), and incorporates the recent changes to ISO 29100:2024 Security Techiques - Privacy Framework.

NOTE: To better understand and interpret both of these standards, consider the ISO 27036-series, especially ISO 27036-4 Security Techniques - Information Security for Supplier Relationships, Part 4: Guidelines for Security of Cloud Services.