ISO/IEC 27017 & ISO/IEC 27018

ISO/IEC 27017 is the cloud security code of practice extending ISO 27001 to cloud services. ISO/IEC 27018 is the privacy code of practice for protecting personally identifiable information in public cloud services.

How 27017 and 27018 relate to 27001

ISO/IEC 27001 specifies the information security management system (ISMS) requirements. ISO/IEC 27017:2015 is a code of practice that extends the 27001/27002 control set with cloud-specific guidance (shared responsibility, virtual machine hardening, customer data segregation, administrator access). ISO/IEC 27018:2019 is a code of practice for cloud service providers acting as PII processors, derived from 27002 with privacy-specific additions (consent, transparency, deletion, transfer notification). Certification is typically conducted as an extension of an existing ISO 27001 audit — a single auditor adds the 27017 and 27018 scope.

Why buyers ask for them

For enterprise SaaS and AI vendors, ISO 27017 and 27018 are commonly bundled into the security questionnaire alongside 27001 and SOC 2. They demonstrate that the vendor has explicitly considered cloud-specific shared-responsibility issues and privacy controls in addition to general information security. The certifications are not legally required but are increasingly expected from vendors selling internationally to regulated industries.

AI procurement specifics

For AI vendors, ISO 27018 has growing relevance because it addresses processing of PII by cloud providers — overlapping heavily with GDPR processor obligations and CCPA service provider obligations. A vendor with current 27001/27017/27018 certifications and a SOC 2 Type II report has the strongest infrastructure-security and privacy attestation pack available pre-AI-specific frameworks. ISO/IEC 42001 (AI management system, 2023) is the AI-specific complement and is likely to become a parallel ask over the next 24 months.