A code of practice that provides guidance for information security controls applicable to the provision and use of cloud services.

It supports organisations that deliver or consume cloud services by providing (1) additional cloud-specific implementation guidance for relevant ISO/IEC 27001 controls and (2) additional controls with implementation guidance that specifically relate to cloud services. Importantly, the standard is designed for both cloud service providers and cloud service customers, reflecting the shared responsibility model that underpins secure cloud operations.

ISO/IEC 27017 strengthens cloud assurance by clarifying responsibilities and adding cloud-focused guidance and controls. It provides cloud-based guidance on 37 ISO/IEC 27002 controls and introduces seven additional cloud controls (the CLD controls), which address key cloud risks such as shared responsibilities, secure asset return/removal at contract termination, segregation of virtual environments, virtual machine configuration, administrative operational procedures, customer monitoring of cloud activity, and alignment between virtual and physical network security. When used alongside an ISO/IEC 27001 ISMS, ISO/IEC 27017 is commonly adopted to enhance cloud-specific governance, control implementation, and audit readiness.

ISO/IEC 27017 is particularly valuable because it defines expectations for both parties in the cloud relationship.

Executives, risk owners, IT managers, and technical teams can reduce cloud risk by formally documenting shared responsibilities, selecting appropriate cloud controls, and ensuring operational practices—such as segregation, monitoring, configuration management, and secure exit—are implemented and evidenced. This enables more informed provider selection, stronger oversight of cloud services, and clearer accountability across IaaS, PaaS, and SaaS arrangements.

• Builds trust – provides customers, partners, and stakeholders with greater confidence that cloud security responsibilities and controls are clearly defined and effectively managed.
• Competitive advantage – demonstrates mature cloud security governance and strengthens responses to procurement and tender requirements.
• Protects reputation – reduces the likelihood and impact of cloud-related incidents, including misconfiguration and accountability gaps
• Improves contractual clarity – supports clearer cloud service agreements, including roles, obligations, monitoring expectations, and exit/transition requirements.
• Enables secure cloud growth – provides a recognised framework to scale cloud adoption while maintaining consistent security practices across providers and services.

As a cyber security research organization,  Cyber Security Centre can provide insightful results from research into various Cyber related subjects. Professional staff have at least Masters degrees, with some undertaking PhD research as well.