The landscape of cloud security is continuously evolving, and organizations must stay ahead of regulatory and compliance changes to maintain robust security postures. One of the most significant developments in cloud security standards is the recent release of the Draft International Standard (DIS) revision to ISO 27017, which provides essential guidelines for information security controls in cloud services.
With the voting ballot set to close by the end of April 2025, this updated standard aligns with ISO 27001:2022 and introduces notable changes that impact both cloud service customers (CSC) and cloud service providers (CSP). The official update is expected to be published between August and September 2025. Let’s dive into the critical updates and what they mean for cloud security.
Understanding ISO 27017:2025 – What’s New?
ISO 27017 plays a crucial role in defining the shared responsibility model between CSCs and CSPs, ensuring that security controls remain suitable, adequate, and effective. The new draft standard builds upon its predecessor (ISO 27017:2015) with several key updates:
1. Title Change and Structural Alignment
The revised ISO 27017:2025 title better reflects its scope, emphasizing cloud security controls based on ISO 27002. Additionally, it aligns with ISO 27001:2022, categorizing security controls into four major groups:
- Organizational controls
- People controls
- Physical controls
- Technological controls
2. Incorporation of New Security Controls
One of the most significant updates is the integration of 11 new security controls from ISO 27001:2022, enhancing the security framework for cloud services:
- A.5.7 Threat Intelligence – Understanding and mitigating cloud-specific threats.
- A.5.23 Information Security for Use of Cloud Services – Defining clear security responsibilities.
- A.5.30 ICT Readiness for Business Continuity – Ensuring cloud resilience.
- A.7.4 Physical Security Monitoring – Strengthening cloud infrastructure security.
- A.8.9 Configuration Management – Enhancing cloud configuration control.
- A.8.10 Information Deletion – Establishing secure data removal processes.
- A.8.11 Data Masking – Protecting sensitive cloud data.
- A.8.12 Data Leakage Prevention – Implementing stronger cloud DLP measures.
- A.8.16 Monitoring Activities – Improving cloud security monitoring.
- A.8.23 Web Filtering – Securing cloud environments against web threats.
- A.8.28 Secure Coding – Reinforcing secure application development.
3. Key References to Other ISO Standards
The new ISO 27017 DIS revision highlights the importance of complementary standards, including:
- ISO 27036 (Information Security for Supplier Relationships) – Especially Part 4, focusing on cloud service security.
- ISO 22123 (Cloud Computing) – Covering essential concepts, vocabulary, and reference architectures.
- ISO 5140:2024 – Addressing multi-cloud and multiple cloud services security considerations.
Interestingly, ISO 3445:2022 (Audit of Cloud Services) is not cited in the draft but remains highly relevant for organizations looking to assess and validate cloud security controls.
Changes in Cloud Security Annexes
The new draft introduces three annexes to enhance cloud security implementation:
- Annex A – Cloud Service Extended Control Set
- Reduces extended controls from seven (ISO 27017:2015) to four, streamlining security guidance.
- Annex B – Correspondence with ISO 27017:2015
- Outlines key modifications and how they impact existing security frameworks.
- Annex C – Monitoring of Cloud Services
- Details security monitoring (A.8.16) and configuration management (A.8.9) in cloud environments.
What This Means for Organizations
With the impending changes in ISO 27017:2025, organizations leveraging cloud services must: ✔ Reevaluate existing cloud security policies to align with the updated controls. ✔ Assess shared responsibility models to ensure clear security ownership between CSCs and CSPs. ✔ Enhance monitoring and data security strategies by integrating new control requirements. ✔ Prepare for compliance audits by understanding the interplay between ISO 27001, ISO 27017, and other relevant standards.
Final Thoughts
The ISO 27017:2025 Draft International Standard signifies a major shift in cloud security best practices, reinforcing the need for continuous improvement in cloud governance, risk management, and compliance. As organizations navigate this transition, staying informed and proactively adjusting security frameworks will be critical to maintaining robust cloud security postures.
With the final publication expected in late 2025, now is the time to assess your cloud security controls and prepare for the evolving regulatory landscape.
Need expert guidance on aligning your cloud security with ISO standards? Contact us today to ensure your organization is compliant, secure, and resilient in the evolving cloud ecosystem!