ISO/IEC 27017:2015

ISO/IEC 27017:2015 overview

The ISO/IEC 27017:2015 code of practice is designed for organizations to use as a reference for selecting cloud services information security controls when implementing a cloud computing information security management system based on ISO/IEC 27002:2013. It can also be used by cloud service providers as a guidance document for implementing commonly accepted protection controls.

This international standard provides additional cloud-specific implementation guidance based on ISO/IEC 27002:2013, and provides additional controls to address cloud-specific information security threats and risks as detailed in clauses 5-18 in ISO/IEC 27002:2013 for controls, implementation guidance, and other information. Specifically, this standard provides guidance on 37 controls in ISO/IEC 27002:2013, and it also features seven new controls that aren't duplicated in ISO/IEC 27002:2013. These new controls address the following important areas:

  • Shared roles and responsibilities within a cloud computing environment
  • Removal and return of cloud service customer assets upon contract termination
  • Protection and separation of a customer's virtual environment from environments of other customers
  • Virtual machine hardening requirements to meet business needs
  • Procedures for administrative operations of a cloud computing environment
  • Enabling customers to monitor relevant activities within a cloud computing environment
  • Alignment of security management for virtual and physical networks

ISO/IEC 27017:2015 is unique in providing guidance for both cloud service providers and cloud service customers. It also provides cloud service customers with practical information on what they should expect from cloud service providers. Customers can benefit directly from ISO/IEC 27017:2015 by ensuring they understand the shared responsibilities in the cloud.

Azure and ISO/IEC 27017

Microsoft Azure, Dynamics 365, and other Microsoft online services undergo regular independent third-party audits for ISO/IEC 27017 compliance. You can review the Azure ISO/IEC 27017 certificate and audit report for more information.

Applicability

  • Azure
  • Azure Government

Services in scope

For a list of Microsoft online services in audit scope, see Microsoft Azure Compliance Offerings or the Azure ISO/IEC 27017 certificate:

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Power Platform

Office 365 and ISO/IEC 27017

For more information about Office 365 compliance, see Office 365 ISO/IEC 27017 documentation.

Audit reports and certificates

The Azure ISO/IEC 27017 certificate covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 online services. You can access Azure ISO/IEC 27017 audit documents from the Service Trust Portal (STP) ISO reports section. You must sign in to access audit reports on the STP. For more information, see Get started with Microsoft Service Trust Portal.

Frequently asked questions

To whom does ISO/IEC 27017 apply?
The ISO/IEC 27017 code of practice provides controls and implementation guidance for both cloud service providers and cloud service customers. It is structured in a format similar to ISO/IEC 27002.

Where can I get the Azure ISO/IEC 27017 audit documentation?
For links to audit documentation, see Audit reports and certificates. You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Can I use the Azure ISO/IEC 27017 compliance assurances in my organization’s certification process?
Yes. If your business is seeking certification for an implementation deployed using in-scope services, you can use the relevant Azure certifications in your compliance assessment. However, you're responsible for engaging an assessor to evaluate your implementation for compliance and for the controls and processes within your own organization.

Resources