iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

prEN ISO/IEC 27017

(Main)

Information security, cybersecurity and privacy protection - Information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC DIS 27017:2025)

Information security, cybersecurity and privacy protection - Information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC DIS 27017:2025)

ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- additional implementation guidance for relevant controls specified in ISO/IEC 27002;
- additional controls with implementation guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Informationssicherheitsmaßnahmen auf der Grundlage von ISO/IEC 27002 für Cloud-Dienste (ISO/IEC DIS 27017:2025)

Sécurité de l'information, cybersécurité et protection de la vie privée - Contrôles de sécurité de l'information fondés sur l'ISO/IEC 27002 pour les services du nuage (ISO/IEC DIS 27017:2025)

La présente Recommandation | Norme internationale contient des lignes directrices relatives aux mesures de sécurité de l'information applicables à la prestation et à l'utilization de services d'informatique en nuage, par exemple:
—          des recommandations supplémentaires concernant la mise en œuvre des mesures de sécurité pertinentes spécifiées dans l'ISO/IEC 27002;
—          des mesures de sécurité supplémentaires avec préconisations de mise en œuvre spécifiquement liées aux services en nuage.
La présente Recommandation | Norme internationale fournit des recommandations concernant les moyens de maîtrise et la mise en œuvre destinées aux prestataires de services d'informatique en nuage et à leurs clients.

Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Kontrole informacijske varnosti, ki temeljijo na ISO/IEC 27002 za storitve v oblaku (ISO/IEC DIS 27017:2025)

General Information

Status
Not Published
Publication Date
06-Sep-2026
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Current Stage
4020 - Submission to enquiry - Enquiry
Start Date
06-Feb-2025
Due Date
06-Feb-2025
Completion Date
06-Feb-2025
Ref Project
oSIST prEN ISO/IEC 27017:2025 - Information security, cybersecurity and privacy protection - Information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC DIS 27017:2025)

Relations

Revises
EN ISO/IEC 27017:2021 - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services (ISO/IEC 27017:2015)
Effective Date
01-May-2024

Buy Standard

prEN ISO/IEC 27017:2025prEN ISO/IEC 27017:2025
PreviousNext
Draft
prEN ISO/IEC 27017:2025
English language
43 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-april-2025
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Kontrole
informacijske varnosti, ki temeljijo na ISO/IEC 27002 za storitve v oblaku (ISO/IEC
DIS 27017:2025)
Information security, cybersecurity and privacy protection - Information security controls
based on ISO/IEC 27002 for cloud services (ISO/IEC DIS 27017:2025)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Informationssicherheitsmaßnahmen auf der Grundlage von ISO/IEC 27002 für Cloud-
Dienste (ISO/IEC DIS 27017:2025)
Sécurité de l'information, cybersécurité et protection de la vie privée - Contrôles de
sécurité de l'information fondés sur l'ISO/IEC 27002 pour les services du nuage
(ISO/IEC DIS 27017:2025)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27017
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
35.210 Računalništvo v oblaku Cloud computing
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC DIS 27017
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Information security controls based
2025-02-03
on ISO/IEC 27002 for cloud services
Voting terminates on:
ICS: 35.030
2025-04-28
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2025
ISO/IEC DIS 27017:2025(en)
DRAFT
ISO/IEC DIS 27017:2025(en)
International
Standard
ISO/IEC DIS 27017
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Information security controls based
on ISO/IEC 27002 for cloud services
Voting terminates on:
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2025
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2025
ISO/IEC DIS 27017:2025(en)
© ISO/IEC 2025 – All rights reserved
ii
ISO/IEC DIS 27017:2025(en)
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
3.1 Terms and definitions .1
3.2 Abbreviated terms .2
4 Cloud computing specific concepts . 2
4.1 General .2
4.1.1 Overview .2
4.1.2 Structure of this International Standard.2
4.2 Cloud computing specific concepts .3
4.2.1 Supplier relationships in cloud services .3
4.2.2 Relationships between CSCs and CSPs.3
4.2.3 Managing information security risks in cloud services .4
5 Cloud service specific guidance related to organizational controls . 5
5.1 Policies for information security . .5
5.2 Information security roles and responsibilities .6
5.3 Segregation of duties.6
5.4 Management responsibilities .6
5.5 Contact with authorities .6
5.6 Contact with special interest groups . .6
5.7 Threat intelligence .6
5.8 Information security in project management .7
5.9 Inventory of information and other associated assets .7
5.10 Acceptable use of information and other associated assets .7
5.11 Return of assets .7
5.12 Classification of information .8
5.13 Labelling of information .8
5.14 Information transfer .8
5.15 Access control .8
5.16 Identity management .8
5.17 Authentication information .8
5.18 Access rights .9
5.19 Information security in supplier relationships .9
5.20 Addressing information security within supplier agreements .9
5.21 Managing information security in the ICT supply chain .10
5.22 Monitoring, review and change management of supplier services .10
5.23 Information security for use of cloud services .10
5.24 Information security incident management planning and preparation .10
5.25 Assessment and decision on information security events .10
5.26 Response to information security incidents .11
5.27 Learning from information security incidents .11
5.28 Collection of evidence . .11
5.29 Information security during disruption .11
5.30 ICT readiness for business continuity .11
5.31 Identification of legal, statutory, regulatory and contractual requirements .11
5.32 Intellectual property rights . 12
5.33 Protection of records . 13
5.34 Privacy and protection of PII . 13
5.35 Independent review of information security . 13
5.36 Compliance with policies and standards for information security . 13
5.37 Documented operating procedures . 13

© ISO/IEC 2025 – All rights reserved
iii
ISO/IEC DIS 27017:2025(en)
6 Cloud service specific guidance related to people controls . 14
6.1 Screening .14
6.2 Terms and conditions of employment .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN ISO/IEC 27555:2025(Main)
Information security, cybersecurity and privacy protection - Guidelines on personally identifiable information deletion (ISO/IEC 27555:2021)
oSIST prEN ISO/IEC 27555:2025

The standard contains guidelines for developing and establishing policies and procedures for deletion
of PII in organizations by specifying:
—   a harmonized terminology for PII deletion;
—   an approach for defining deletion rules in an efficient way;
—   a description of required documentation; and
—   a broad definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII are stored or processed.
This document does not address:
—   specific legal provision, as given by national law or specified in contracts;
—   specific deletion rules for particular clusters of PII as are to be defined by PII controllers for
—   processing PII;
—   deletion mechanisms;
—   reliability, security and suitability of deletion mechanisms;
—   specific techniques for de-identification of data.

  • Draft
    31 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC ISO/IEC/TS 23532-2:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 2: Testing for ISO/IEC 19790 (ISO/IEC/TS 23532-2:2021)
SIST-TS CEN/CLC ISO/IEC/TS 23532-2:2025

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing testing based on ISO/IEC 19790 and ISO/IEC 24759.

  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC ISO/IEC/TS 23532-1:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 1: Evaluation for ISO/IEC 15408 (ISO/IEC/TS 23532-1:2021)
SIST-TS CEN/CLC ISO/IEC/TS 23532-1:2025

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing evaluations based on the ISO/IEC 15408 series and ISO/IEC 18045.

  • Technical specification
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Technical specification
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27001:2023/A1:2024(Amendment)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements - Amendment 1: Climate action changes (ISO/IEC 27001:2022/Amd 1:2024)
SIST EN ISO/IEC 27001:2023/A1:2025
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18031-2:2024(Main)
Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
SIST EN 18031-2:2024

Common security requirements for radio equipment processing personal data or traffic data or location data being either internet connected radio equipment, radio equipment designed or intended exclusively for childcare; toys and wearable radio equipment. The standard provides technical specifications for radio equipment processing personal data, traffic data or location data, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment, childcare, toys or wearable radio equipment.
The scope does not apply to 5G network equipment used by providers of public electronic communications networks and publicly available electronic communications services within the meaning of in Directive (EU) 2018/1972 of the European Parliament and of the Council as defined in that Regulation.

  • Standard
    220 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18031-3:2024(Main)
Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value
SIST EN 18031-3:2024

Common security requirements for internet connected radio equipment that equipment enables the holder or user to transfer money, monetary value or virtual currency. This document provides technical specifications for radio equipment processing virtual money or monetary value, which apply to electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

  • Standard
    185 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18031-1:2024(Main)
Common security requirements for radio equipment - Part 1: Internet connected radio equipment
SIST EN 18031-1:2024

This document specifies common security requirements for internet-connected radio equipment. This document provides technical specifications for radio equipment, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

  • Standard
    180 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
SIST EN ISO/IEC 27005:2024

This document provides guidance to assist organizations to:
—    fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
—    perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 18026:2024(Main)
Three-level approach for a set of cybersecurity requirements for cloud services
SIST-TS CEN/CLC/TS 18026:2024

This Technical Specification (TS) provides a set of cybersecurity requirements for cloud services.
This TS is applicable to organizations providing cloud services and their subservice organizations

  • Technical specification
    180 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27006-1:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of information security management systems - Part 1: General (ISO/IEC 27006-1:2024)
SIST EN ISO/IEC 27006-1:2024

This document specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing ISMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing ISMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day