prEN ISO/IEC 27017

SLOVENSKI STANDARD
01-april-2025
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Kontrole
informacijske varnosti, ki temeljijo na ISO/IEC 27002 za storitve v oblaku (ISO/IEC
DIS 27017:2025)
Information security, cybersecurity and privacy protection - Information security controls
based on ISO/IEC 27002 for cloud services (ISO/IEC DIS 27017:2025)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Informationssicherheitsmaßnahmen auf der Grundlage von ISO/IEC 27002 für Cloud-
Dienste (ISO/IEC DIS 27017:2025)
Sécurité de l'information, cybersécurité et protection de la vie privée - Contrôles de
sécurité de l'information fondés sur l'ISO/IEC 27002 pour les services du nuage
(ISO/IEC DIS 27017:2025)
Ta slovenski standard je istoveten z: prEN ISO/IEC 27017
ICS:
03.100.70 Sistemi vodenja Management systems
35.030 Informacijska varnost IT Security
35.210 Računalništvo v oblaku Cloud computing
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC DIS 27017
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Information security controls based
2025-02-03
on ISO/IEC 27002 for cloud services
Voting terminates on:
ICS: 35.030
2025-04-28
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2025
ISO/IEC DIS 27017:2025(en)
DRAFT
ISO/IEC DIS 27017:2025(en)
International
Standard
ISO/IEC DIS 27017
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Information security controls based
on ISO/IEC 27002 for cloud services
Voting terminates on:
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2025
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2025
ISO/IEC DIS 27017:2025(en)
© ISO/IEC 2025 – All rights reserved
ii
ISO/IEC DIS 27017:2025(en)
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
3.1 Terms and definitions .1
3.2 Abbreviated terms .2
4 Cloud computing specific concepts . 2
4.1 General .2
4.1.1 Overview .2
4.1.2 Structure of this International Standard.2
4.2 Cloud computing specific concepts .3
4.2.1 Supplier relationships in cloud services .3
4.2.2 Relationships between CSCs and CSPs.3
4.2.3 Managing information security risks in cloud services .4
5 Cloud service specific guidance related to organizational controls . 5
5.1 Policies for information security . .5
5.2 Information security roles and responsibilities .6
5.3 Segregation of duties.6
5.4 Management responsibilities .6
5.5 Contact with authorities .6
5.6 Contact with special interest groups . .6
5.7 Threat intelligence .6
5.8 Information security in project management .7
5.9 Inventory of information and other associated assets .7
5.10 Acceptable use of information and other associated assets .7
5.11 Return of assets .7
5.12 Classification of information .8
5.13 Labelling of information .8
5.14 Information transfer .8
5.15 Access control .8
5.16 Identity management .8
5.17 Authentication information .8
5.18 Access rights .9
5.19 Information security in supplier relationships .9
5.20 Addressing information security within supplier agreements .9
5.21 Managing information security in the ICT supply chain .10
5.22 Monitoring, review and change management of supplier services .10
5.23 Information security for use of cloud services .10
5.24 Information security incident management planning and preparation .10
5.25 Assessment and decision on information security events .10
5.26 Response to information security incidents .11
5.27 Learning from information security incidents .11
5.28 Collection of evidence . .11
5.29 Information security during disruption .11
5.30 ICT readiness for business continuity .11
5.31 Identification of legal, statutory, regulatory and contractual requirements .11
5.32 Intellectual property rights . 12
5.33 Protection of records . 13
5.34 Privacy and protection of PII . 13
5.35 Independent review of information security . 13
5.36 Compliance with policies and standards for information security . 13
5.37 Documented operating procedures . 13

© ISO/IEC 2025 – All rights reserved
iii
ISO/IEC DIS 27017:2025(en)
6 Cloud service specific guidance related to people controls . 14
6.1 Screening .14
6.2 Terms and conditions of employment .14
6.3 Information security awareness, education and training .14
6.4 Disciplinary process . 15
6.5 Responsibilities after termination or change of employment. 15
6.6 Confidentiality or non-disclosure agreements . 15
6.7 Remote working . 15
6.8 Information security event reporting. 15
7 Cloud service specific guidance related to physical controls .16
7.1 Physical security perimeter .16
7.2 Physical entry controls.16
7.3 Securing offices, rooms and facilities .16
7.4 Physical security monitoring . .16
7.5 Protecting against physical and environmental threats .16
7.6 Working in secure areas .16
7.7 Clear desk and clear screen .16
7.8 Equipment siting and protection .16
7.9 Security of assets off-premises .16
7.10 Storage media .16
7.11 Supporting utilities .16
7.12 Cabling security .16
7.13 Equipment maintenance .16
7.14 Secure disposal or re-use of equipment .17
8 Cloud service specific guidance related to technological controls . 17
8.1 User endpoint devices .17
8.2 Privileged access rights .17
8.3 Information access restriction .17
8.4 Access to source code .18
8.5 Secure authentication .18
8.6 Capacity management .18
8.7 Protection against malware .18
8.8 Management of technical vulnerabilities .18
8.9 Configuration management .19
8.10 Information deletion .19
8.11 Data masking . 20
8.12 Data leakage prevention . 20
8.13 Information backup. 20
8.14 Redundancy of information processing facilities .21
8.15 Logging .21
8.16 Monitoring activities . 22
8.17 Clock synchronization . 22
8.18 Use of privileged utility programs . 22
8.19 Installation of software on operational systems . 23
8.20 Network controls . 23
8.21 Security of network services . 23
8.22 Segregation in networks . 23
8.23 Web filtering . 23
8.24 Use of cryptography . 23
8.25 Secure development lifecycle .24
8.26 Application security requirements .24
8.27 Secure system architecture and engineering principles .24
8.28 Secure coding.24
8.29 Security testing in development and acceptance . 25
8.30 Outsourced development . 25
8.31 Separation of development, test and production environments. 25
8.32 Change management . 25
8.33 Test information . 25

© ISO/IEC 2025 – All rights reserved
iv
ISO/IEC DIS 27017:2025(en)
8.34 Protection of information systems during audit and testing . 25
Annex A (normative) Cloud service extended control set .26
Annex B (informative) Correspondence with ISO/IEC 27017:2015 .30
Annex C (informative) Monitoring of cloud services .35
Bibliography .36

© ISO/IEC 2025 – All rights reserved
v
ISO/IEC DIS 27017:2025(en)
Foreword
The International Telecommunication Union (ITU) is the United Nations specialized agency in the field
of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent
organ of ITU. ITU-T is responsible for studying technical, operating, and tariff questions and issuing
Recommendations on them with a view to standardizing telecommunications on a world-wide basis. The
World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the
topics for study by the ITU-T study groups that, in turn, produce Recommendations on these topics. The
approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some
areas of information technology that fall within ITU-T’s purview, the necessary standards are prepared on a
collaborative basis with ISO and IEC.
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO’s adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/IEC JTC 1 Information technology, Subcommittee
SC 27, Information security, cybersecurity and privacy protection, in collaboration with ITU-T. The identical
text is published as ITU-T Recommendation X.1631.
This second edition cancels and replaces the first edition (ISO/IEC 27017:2015 | ITU-T Recommendation
X.1631), which has been technically revised.
The main changes are as follows:
— the title has been modified;
— the structure of the document has been changed, presenting the controls using a simple taxonomy and
associated attributes;
— some controls have been merged, some have been removed and several new controls have been
introduced. The complete correspondence can be found in Annex B.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

© ISO/IEC 2025 – All rights reserved
vi
ISO/IEC DIS 27017:2025(en)
Introduction
The guidelines contained within this Recommendation | International Standard are in addition to and
complement the guidelines given in ISO/IEC 27002:2022.
Specifically, this Recommendation | International Standard provides guidance supporting the
implementation of information security controls for cloud service customers (CSCs) and cloud service
providers (CSPs). Some guidance are for CSCs who implement the controls and others are for CSPSs to
support the implementation of those controls. The determination of the appropriate information security
controls and the extent of the utilisation of the guidance provided will depend on the results of the relevant
risk assessment and the existence of any legal, regulatory, contractual, or other cloud-computing specific
information security requirements.

© ISO/IEC 2025 – All rights reserved
vii
DRAFT International Standard ISO/IEC DIS 27017:2025(en)
Information security, cybersecurity and privacy protection —
Information security controls based on ISO/IEC 27002 for
cloud services
1 Scope
This Recommendation | International Standard gives guidelines for information security controls applicable
to the provision and use of cloud services by providing:
— additional guidance for relevant controls specified in ISO/IEC 27002:2022;
— additional controls with guidance that specifically relate to cloud services.
This Recommendation | International Standard provides controls and guidance for CSCs and CSPs.
This Recommendation | International Standard excludes any and all aspects of conformity assessment.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 22123-1:2023, Information technology — Cloud computing — Part 1: Vocabulary
ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security
controls
3 Terms, definitions and abbreviated terms
3.1 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27002:2022,
ISO/IEC 22123-1:2023, and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1.1
capability
ability to perform a specific activity
[SOURCE: ISO 19440:2020, 3.5]
© ISO/IEC 2025 – All rights reserved
ISO/IEC DIS 27017:2025(en)
3.2 Abbreviated terms
CSC cloud service customer
CSN cloud service partner
CSP cloud service provider
CSU cloud service user
IaaS infrastructure as a service
ICT information and communication technology
PaaS platform as a service
PII personally identifiable information
RTO recovery time objective
RPO recovery point objective
SaaS software as a service
SLA service level agreement
4 Cloud computing specific concepts
4.1 General
4.1.1 Overview
This Recommendation | International Standard provides additional cloud-specific guidance based on
ISO/IEC 27002 and provides additional controls to address cloud-specific information security threats and
risks considerations.
Users of this Recommendation | International Standard should refer to Clauses 5 to 8 in ISO/IEC 27002:2022
for attributes, controls, purposes, guidance and other information. Because of the general applicability of
ISO/IEC 27002:2022, many of the controls, guidance and other information apply to both the general and
cloud computing contexts of an organization. For example, "5.3 Segregation of duties" of ISO/IEC 27002
provides a control that can be applied whether the organization is acting as a CSP or not. Additionally, a CSC
can derive requirements for segregation of duties in the cloud environment from the same control, e.g. a CSC
segregating the CSCs' cloud service administrators from other CSUs.
As an extension to ISO/IEC 27002:2022, this Recommendation | International Standard further provides
cloud service specific controls, attributes, purposes, guidance and other information that are intended to
mitigate the risks that accompany the technical and operational features of cloud services (see clause 4.1.2
for the structure of this document). Annex B provides a mapping for backwards compatibility with
ISO/IEC 27017:2015. The CSCs and the CSPs can refer to ISO/IEC 27002:2022 and this Recommendation |
International Standard to determine controls with the guidance and add other controls if necessary. This
process can be done by performing an information security risk assessment and risk treatment in the
organizational and business context where cloud services are used or provided (see clause 4.2.3).
NOTE This Recommendation | International Standard is applicable to all different cloud deployment models
including the private cloud. Even in this case, the controls and guidance of this document are applicable, although
adjustments can be needed to adjust to the relationships and abilities of the internal departments of an organization.
4.1.2 Structure of this International Standard
This Recommendation | International Standard is structured in a format similar to ISO/IEC 27002:2022.

© ISO/IEC 2025 – All rights reserved
ISO/IEC DIS 27017:2025(en)
This Recommendation | International Standard adapts the information security controls included in
ISO/IEC 27002:2022, Clauses 5 to 8 to better fit cloud computing. As in ISO/IEC 27002:2022, the categorization
of controls given in Clauses 5 to 8 are referred to as themes and the attributes of each control identified in
ISO/IEC 27002:2022 also apply.
When controls specified in ISO/IEC 27002:2022 are applicable to both the CSCs and the CSP without a need
for any additional information, only a reference to ISO/IEC 27002:2022 is provided.
In addition to the controls of ISO/IEC 27002, cloud service extended controls are given in Annex A
accompanied by the “CLD” (CLouD service extended controls) prefix. When a control of ISO/IEC 27002:2022
or Annex A needs additional cloud service specific guidance related to the control, it is given under the
subtitle “guidance for cloud services”. The guidance is provided in one of the following two types:
Type 1 (this is used when there is separate guidance for the CSC and the CSP)
CSC CSP
CSC guidance CSP guidance
Type 2 (this is used when the guidance is the same for both the CSC and the CSP)
CSC CSP
CSC and CSP guidance
4.2 Cloud computing specific concepts
4.2.1 Supplier relationships in cloud services
Subclauses 5.19 to 5.22 of ISO/IEC 27002:2022 provide controls, the purpose of each control, guidance and
other information for managing information security in supplier relationships. The provision and use of
cloud services is a kind of supplier relationship, where the CSC is an acquirer, and the CSP is a supplier.
Therefore, these subclauses apply to CSCs and CSPs.
CSCs and CSPs can also form a supply chain. Suppose that a CSP provides a cloud service of infrastructure
capabilities type. On top of this service, another CSP can provide a cloud service of application capabilities
type. In this case, the second CSP is a CSC with respect to the first, and a CSP with respect to the CSC using
its service. In this scenario, the organization has both CSC and CSP roles. Every organization needs to
consider which controls are applicable to it in its roles as the CSP and the CSC. This example illustrates the
case where this Recommendation | International Standard applies to an organization both as a CSC and as a
CSP. Because CSCs and CSPs form a supply chain through the provision and use of the cloud service(s), "5.21
Managing information security in the ICT supply chain” of ISO/IEC 27002:2022 applies.
The multi-part International Standard ISO/IEC 27036, "Information security for supplier relationships",
provides detailed guidance on the information security in supplier relationships to the acquirer and supplier
of products and services.
ISO/IEC 27036 Part 4 deals directly with the security of cloud services in supplier relationships. This
standard is also applicable to CSCs as acquirers and CSPs as suppliers.
4.2.2 Relationships between CSCs and CSPs
In the cloud computing environment, CSC data is stored, transmitted and processed by a cloud service.
Therefore, a CSC's business processes depend upon the information security of the cloud service. Without
sufficient control over the cloud service, the CSC might need to take extra precautions with its own
information security practices.
Before entering into a supplier relationship, the CSC needs to select a cloud service, taking into account
the possible gaps between the CSC's information security requirements and the information security
capabilities offered by the service. Once a cloud service is selected, the CSC should manage the use of the
cloud service in such a way as to meet its own information security requirements. In this relationship, the

© ISO/IEC 2025 – All rights reserved
ISO/IEC DIS 27017:2025(en)
CSP should provide the information and technical support that are necessary to meet the CSC's information
security requirements. When the information security controls provided by the CSP are pre-set and cannot
be changed by the CSC, it is possible that the CSC needs to implement additional controls of its own to
mitigate risks.
It is important to understand that there are multiple different cloud deployment models that are used in
cloud computing environments. Some of the cloud deployment models include:
— Private cloud, cloud services are used exclusively by a single cloud service customer and resources are
controlled by that cloud service customer [SOURCE: ISO/IEC 22123-1:2023, 3.2.4];
— Public cloud, cloud services are potentially available to any cloud service customer and the resources are
controlled by the cloud service provider [SOURCE: ISO/IEC 22123-1:2023, 3.2.5];
— Multi-cloud, combines public cloud services from two or more CSPs;
— Federated cloud, combines resources from members of a cloud service federation to provide cloud
services;
— Hybrid cloud, combines a private cloud with a public cloud;
— Hybrid multi-cloud, combines a hybrid cloud with a multi-cloud;
— Inter-cloud, combines the cloud services from a primary CSP with one or more cloud services from
secondary CSPs.
There are three fundamental approaches that can be taken in these different cloud deployment models:
— The CSC controls and manages the cloud services that are being delivered by each of the CSPs including
their orchestration into a cloud solution (e.g. multi-cloud);
— One CSP combines the cloud services from multiple CSPs with varying degrees of orchestration, control
and management activities (e.g. inter-cloud);
— Multiple CSPs form a partnership through out-of-band collaboration and share their resources to
create cloud services (e.g. federated cloud which uses a cloud service federation management system to
orchestrate access to the CSPs resources).
Note that these approaches are not mutually exclusive and it is possible to combine them. Further explanation
of these cloud deployment models can be found in ISO/IEC 5140.
Collaborative effort between the CSC and the CSP for the use and provision of the cloud service is necessary
for the CSC to achieve its objectives for information security management. It includes shared roles and
responsibilities between the CSC and the CSP. More information on allocation of roles and responsibilities
can be found in CLD.5.38.
4.2.3 Managing information security risks in cloud services
CSCs and CSPs should both have information security risk management processes in place. They are
advised to refer to ISO/IEC 27001 for the requirements related to risk management for information security
management systems, and to refer to ISO/IEC 27005 for further guidance on information security risk
management itself. ISO 31000, to which ISO/IEC 27001 and ISO/IEC 27005 are aligned, can also help with a
general understanding of risk management.
The controls and guidance given in Clauses 5 to 8 and Annex A of this Recommendation | International
Standard are used as a reference for determining and implementing controls for cloud services.
The controls and guidance provide CSCs with:
— guidance on information security measures relating to the use of cloud services;
— guidance on information and capabilities of the cloud services to be obtained from CSPs.

© ISO/IEC 2025 – All rights reserved
ISO/IEC DIS 27017:2025(en)
The controls and guidance also provide CSPs with guidance for providing information and capabilities as
a part of the cloud services to support CSCs’ information security risk management. The information and
capabilities can be provided in agreements and other documents available for CSCs.
5 Cloud service specific guidance related to organizational controls
5.1 Policies for information security
The attributes, control, purpose, guidance and other information stated in ISO/IEC 27002:2022, 5.1 and the
following additional guidance apply.
Guidance for cloud services
CSC CSP
An information security policy on the use of cloud servic- Rules for the provision of the cloud service should be
es sho
...