ISO 27017 (Cloud Security Controls)

ISO/IEC 27017:2015, "Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services," provides cloud-specific guidance for both cloud service providers (CSPs) and cloud service customers (CSCs). It supplements — not replaces — ISO 27002, adding 37 cloud-specific implementation guidance clauses to existing controls and introducing 7 new cloud-specific controls not found in ISO 27002: CLD.6.3.1 (shared roles and responsibilities), CLD.8.1.5 (removal/return of cloud service customer assets), CLD.9.5.1 (segregation in virtual computing environments), CLD.9.5.2 (virtual machine hardening), CLD.12.1.5 (administrator's operational security), CLD.12.4.5 (monitoring of cloud services), and CLD.13.1.4 (alignment of security management for virtual and physical networks).

The shared responsibility model is the architectural foundation of ISO 27017 compliance. Control CLD.6.3.1 requires that the division of information security responsibilities between CSP and CSC be explicitly documented, agreed, and communicated. In practice, this demands a Responsibility Assignment Matrix (RAM or RACI) covering every ISO 27017 control domain, specifying which party owns, implements, monitors, and evidences each control. For CSCs using IaaS, PaaS, and SaaS, the RAM will differ significantly: IaaS customers own most OS-level and above controls; SaaS customers own primarily access management and data classification. Auditors expect the RAM to be a living document updated when cloud service configurations change, not a one-time exercise.

Virtual machine and container security receive specific attention in ISO 27017. Control CLD.9.5.2 requires VM hardening — ensuring that VMs are configured per a baseline security configuration, unused services are disabled, and that VM images used as templates are also hardened and regularly updated. For containerized workloads, this principle extends to base image hardening, image signing, and runtime security controls. Control CLD.9.5.1 on segregation requires that VMs of different security classifications are logically isolated — implemented through separate VPCs, security groups, network policies (Kubernetes NetworkPolicy), and ensuring hypervisor-level isolation is not compromised by shared storage or network attachments between differently classified workloads.

We build ISO 27017 compliance into cloud architectures from the design phase: shared responsibility matrices are generated per cloud service model (IaaS/PaaS/SaaS) and incorporated into vendor contracts. Our infrastructure-as-code pipelines enforce VM and container hardening baselines automatically, and our cloud posture management tooling continuously validates segregation controls against the CLD.9.5.1 requirements.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.