{"id":319,"date":"2025-02-05T10:43:37","date_gmt":"2025-02-05T05:13:37","guid":{"rendered":"https:\/\/www.securis360.com\/blog\/?p=319"},"modified":"2026-02-18T18:44:27","modified_gmt":"2026-02-18T18:44:27","slug":"iso-270172025-draft-international-standard-dis-key-updates-and-implications-for-cloud-security","status":"publish","type":"post","link":"https:\/\/securis360.com\/blog\/iso-270172025-draft-international-standard-dis-key-updates-and-implications-for-cloud-security\/","title":{"rendered":"ISO 27017:2025 Draft International Standard (DIS) \u2013 Key Updates and Implications for Cloud Security"},"content":{"rendered":"\n<p>The landscape of cloud security is continuously evolving, and organizations must stay ahead of regulatory and compliance changes to maintain robust security postures. One of the most significant developments in cloud security standards is the recent release of the Draft International Standard (DIS) revision to <strong>ISO 27017<\/strong>, which provides essential guidelines for <strong>information security controls in cloud services<\/strong>.<\/p>\n\n\n\n<p>With the <strong>voting ballot set to close by the end of April 2025<\/strong>, this updated standard aligns with ISO 27001:2022 and introduces notable changes that impact both <strong>cloud service customers (CSC)<\/strong> and <strong>cloud service providers (CSP)<\/strong>. The official update is expected to be published between <strong>August and September 2025<\/strong>. Let&#8217;s dive into the critical updates and what they mean for cloud security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Understanding ISO 27017:2025 \u2013 What&#8217;s New?<\/strong><\/h2>\n\n\n\n<p>ISO 27017 plays a crucial role in defining the <strong>shared responsibility model<\/strong> between CSCs and CSPs, ensuring that security controls remain <strong>suitable, adequate, and effective<\/strong>. The <strong>new draft standard<\/strong> builds upon its predecessor (ISO 27017:2015) with several key updates:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. Title Change and Structural Alignment<\/strong><\/h3>\n\n\n\n<p>The revised <strong>ISO 27017:2025<\/strong> title better reflects its scope, emphasizing <strong><a href=\"https:\/\/securis360.com\/cloud-security-testing-services.shtml\">cloud security controls<\/a> based on ISO 27002<\/strong>. Additionally, it aligns with <strong>ISO 27001:2022<\/strong>, categorizing security controls into four major groups:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Organizational controls<\/strong><\/li>\n\n\n\n<li><strong>People controls<\/strong><\/li>\n\n\n\n<li><strong>Physical controls<\/strong><\/li>\n\n\n\n<li><strong>Technological controls<\/strong><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. Incorporation of New Security Controls<\/strong><\/h3>\n\n\n\n<p>One of the most significant updates is the <strong>integration of 11 new security controls<\/strong> from <strong>ISO 27001:2022<\/strong>, enhancing the security framework for cloud services:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>A.5.7 Threat Intelligence<\/strong> \u2013 Understanding and mitigating cloud-specific threats.<\/li>\n\n\n\n<li><strong>A.5.23 Information Security for Use of Cloud Services<\/strong> \u2013 Defining clear security responsibilities.<\/li>\n\n\n\n<li><strong>A.5.30 ICT Readiness for Business Continuity<\/strong> \u2013 Ensuring cloud resilience.<\/li>\n\n\n\n<li><strong>A.7.4 Physical Security Monitoring<\/strong> \u2013 Strengthening cloud infrastructure security.<\/li>\n\n\n\n<li><strong>A.8.9 Configuration Management<\/strong> \u2013 Enhancing cloud configuration control.<\/li>\n\n\n\n<li><strong>A.8.10 Information Deletion<\/strong> \u2013 Establishing secure data removal processes.<\/li>\n\n\n\n<li><strong>A.8.11 Data Masking<\/strong> \u2013 Protecting sensitive cloud data.<\/li>\n\n\n\n<li><strong>A.8.12 Data Leakage Prevention<\/strong> \u2013 Implementing stronger cloud DLP measures.<\/li>\n\n\n\n<li><strong>A.8.16 Monitoring Activities<\/strong> \u2013 Improving cloud security monitoring.<\/li>\n\n\n\n<li><strong>A.8.23 Web Filtering<\/strong> \u2013 Securing cloud environments against web threats.<\/li>\n\n\n\n<li><strong>A.8.28 Secure Coding<\/strong> \u2013 Reinforcing secure application development.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. Key References to Other ISO Standards<\/strong><\/h3>\n\n\n\n<p>The <strong>new ISO 27017 DIS<\/strong> revision highlights the importance of complementary standards, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ISO 27036<\/strong> (Information Security for Supplier Relationships) \u2013 Especially <strong>Part 4<\/strong>, focusing on cloud service security.<\/li>\n\n\n\n<li><strong>ISO 22123<\/strong> (Cloud Computing) \u2013 Covering essential concepts, vocabulary, and reference architectures.<\/li>\n\n\n\n<li><strong>ISO 5140:2024<\/strong> \u2013 Addressing multi-cloud and multiple cloud services security considerations.<\/li>\n<\/ul>\n\n\n\n<p>Interestingly, <strong>ISO 3445:2022<\/strong> (Audit of Cloud Services) is not cited in the draft but remains highly relevant for organizations looking to <strong>assess and validate cloud security controls<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Changes in Cloud Security Annexes<\/strong><\/h2>\n\n\n\n<p>The new draft introduces <strong>three annexes<\/strong> to enhance cloud security implementation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Annex A \u2013 Cloud Service Extended Control Set<\/strong>\n<ul class=\"wp-block-list\">\n<li>Reduces extended controls from <strong>seven (ISO 27017:2015)<\/strong> to <strong>four<\/strong>, streamlining security guidance.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Annex B \u2013 Correspondence with ISO 27017:2015<\/strong>\n<ul class=\"wp-block-list\">\n<li>Outlines key modifications and how they impact existing security frameworks.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Annex C \u2013 Monitoring of Cloud Services<\/strong>\n<ul class=\"wp-block-list\">\n<li>Details security monitoring (A.8.16) and configuration management (A.8.9) in cloud environments.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>What This Means for Organizations<\/strong><\/h2>\n\n\n\n<p>With the impending changes in <strong>ISO 27017:2025<\/strong>, organizations leveraging cloud services must: \u2714 <strong>Reevaluate existing cloud security policies<\/strong> to align with the updated controls. \u2714 <strong>Assess shared responsibility models<\/strong> to ensure clear security ownership between CSCs and CSPs. \u2714 <strong>Enhance monitoring and data security strategies<\/strong> by integrating new control requirements. \u2714 <strong>Prepare for compliance audits<\/strong> by understanding the interplay between <strong>ISO 27001, ISO 27017, and other relevant standards<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Final Thoughts<\/strong><\/h2>\n\n\n\n<p>The <strong>ISO 27017:2025 Draft International Standard<\/strong> signifies a major shift in <strong>cloud security best practices<\/strong>, reinforcing the need for <strong>continuous improvement in cloud governance, risk management, and compliance<\/strong>. As organizations navigate this transition, staying informed and proactively adjusting security frameworks will be critical to maintaining robust <strong>cloud security postures<\/strong>.<\/p>\n\n\n\n<p>With the final publication expected in <strong>late 2025<\/strong>, now is the time to <strong>assess your cloud security controls and prepare for the evolving regulatory landscape<\/strong>.<\/p>\n\n\n\n<p>Need expert guidance on aligning your cloud security with ISO standards? Contact us today to ensure your organization is <strong>compliant, secure, and resilient<\/strong> in the evolving cloud ecosystem!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The landscape of cloud security is continuously evolving, and organizations must stay ahead of regulatory and compliance changes to maintain robust security postures. One of the most significant developments in cloud security standards is the recent release of the Draft International Standard (DIS) revision to ISO 27017, which provides essential guidelines for information security controls [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1120,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[15,16,17,36,14],"class_list":["post-319","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-cybercrime","tag-cybersecurity","tag-data-protection","tag-information-security","tag-third-party-cybersecurity-risk"],"_links":{"self":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/comments?post=319"}],"version-history":[{"count":1,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/319\/revisions"}],"predecessor-version":[{"id":1121,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/posts\/319\/revisions\/1121"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/media\/1120"}],"wp:attachment":[{"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/media?parent=319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/categories?post=319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securis360.com\/blog\/wp-json\/wp\/v2\/tags?post=319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}