LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What do the cloud-specific standards ISO/IEC 27017 and ISO/IEC 27018 cover, and how do they differ?

27017 = security controls for cloud services (provider + customer). 27018 = privacy / PII protection in public clouds acting as PII processors.

Standard Year Scope
ISO/IEC 27017 2015 Code of practice for information security controls for cloud services — extends 27002 with cloud-specific guidance
ISO/IEC 27018 2014 Code of practice for protection of PII in public clouds acting as PII processors — extends 27002 with privacy guidance

The cloud market drove the need for both: customers wanted to know which 27002 controls the provider owned vs which were customer-side, plus where personal data lived and how it was handled.

Tip: When a cloud provider (AWS, Azure, GCP, Swisscom) advertises "ISO 27017 + 27018 certified," they're claiming both: cloud-security best practice and GDPR-aligned PII handling. Read their shared-responsibility matrix to see which controls they actually own.

Go deeper:

From Quiz: ISF / ISMS & Security Standards (ISO 27k, NIST, BSI) | Updated: Jul 14, 2026