Quiz Entry - updated: 2026.07.14
What do the cloud-specific standards ISO/IEC 27017 and ISO/IEC 27018 cover, and how do they differ?
27017 = security controls for cloud services (provider + customer). 27018 = privacy / PII protection in public clouds acting as PII processors.
| Standard | Year | Scope |
|---|---|---|
| ISO/IEC 27017 | 2015 | Code of practice for information security controls for cloud services — extends 27002 with cloud-specific guidance |
| ISO/IEC 27018 | 2014 | Code of practice for protection of PII in public clouds acting as PII processors — extends 27002 with privacy guidance |
The cloud market drove the need for both: customers wanted to know which 27002 controls the provider owned vs which were customer-side, plus where personal data lived and how it was handled.
Tip: When a cloud provider (AWS, Azure, GCP, Swisscom) advertises "ISO 27017 + 27018 certified," they're claiming both: cloud-security best practice and GDPR-aligned PII handling. Read their shared-responsibility matrix to see which controls they actually own.
Go deeper:
ISO/IEC 27017 — cloud security controls (provider + customer) — explains the 37 adapted plus 7 new cloud-only controls and the shared-responsibility split.
ISO/IEC 27018 — protecting PII in public clouds — the privacy counterpart: what a PII processor must do (data location, no ad use without consent).