Extending Your ISMS to the Cloud: Adding ISO 27017 to Your ISO 27001 Program
You achieved ISO 27001 certification for your on-premise systems. But your workloads are now in AWS, Azure, and SaaS. Here is how to extend your ISMS to the cloud without starting over.
The Cloud Gap in Your ISO 27001 Certificate
Your ISO 27001 certificate hangs on the wall.
It cost you months of work and significant investment. You earned it.
Because the servers the auditor inspected may now be decommissioned. The network diagrams may show firewalls that no longer exist. The access reviews may cover Active Directory while your workforce authenticates to Azure AD.
ISO 27001:2022 contains zero cloud-specific controls.
It was written for data centers, server rooms, and on-premise infrastructure. It does not address:
- Shared responsibility models
- Multi-tenancy segregation
- Virtualization hypervisor security
- Cloud service provider exit strategies
- Container and serverless workloads
This is not a certification gap. It is an existential gap.
The fix is not recertification from zero. The fix is ISO 27017 the cloud-specific extension to ISO 27001.
This guide walks you through exactly how to extend your existing ISMS to the cloud, incorporating ISO 27017’s supplemental controls, updating your risk assessments, and adjusting your policies all while preserving your hard-won certification.
What ISO 27017 Actually Is (And Isn’t)
ISO 27017 is an extension or add-on to ISO 27001. You cannot be “ISO 27017 certified” without ISO 27001. The audit is combined. The certificate acknowledges both.
What ISO 27017 Provides
ISO/IEC 27017:2015 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:
- Additional implementation guidance for relevant controls specified in ISO/IEC 27002 (37 controls)
- Seven new cloud-specific controls that don’t exist in ISO 27001
Who It Applies To
ISO 27017 is unique in providing guidance for both cloud service providers and cloud service customers.
| Audience | Application |
|---|---|
| Cloud Service Provider (CSP) | Prove your cloud infrastructure is securely designed, operated, and maintained |
| Cloud Service Customer (CSC) | Prove you are using cloud services securely and meeting your portion of shared responsibility |
If you consume AWS, Azure, or Google Cloud you are a cloud service customer. ISO 27017 applies to you.
ISO 27017 vs. ISO 27018
| Standard | Focus Area |
|---|---|
| ISO 27017 | Cloud services overall (security controls, shared responsibility, virtualization) |
| ISO 27018 | Protection of personally identifiable information (PII) in public cloud |
Both can apply, but they serve different purposes.
The 7 New Controls Your ISMS Is Missing
ISO 27001 contains 93 controls (2022 version). ISO 27017 adds seven cloud-specific controls that directly address unique cloud risks.
| Control ID | Name | What It Requires |
|---|---|---|
| CLD.6.3.1 | Shared roles and responsibilities | Define security responsibilities between cloud service providers and customers |
| CLD.8.1.5 | Removal/return of cloud customer assets | Securely remove customer assets from cloud systems upon contract termination |
| CLD.9.5.1 | Segregation in virtual environments | Isolate customer data in virtualized cloud environments |
| CLD.9.5.2 | Virtual machine hardening | Securely configure virtual machines to reduce vulnerabilities |
| CLD.12.1.5 | Administrator’s operational security | Specify security practices for administrative operations in cloud systems |
| CLD.12.4.5 | Monitoring of cloud services | Monitor and log cloud activities for security oversight |
| CLD.15.1.3 | Alignment of virtual/physical networks | Ensure consistent security across virtual and physical cloud infrastructure |
More importantly, you are not actually controlling cloud risk.
Step 1: Update Your Statement of Applicability
Your Statement of Applicability (SoA) is the master index of your ISMS. It lists which controls apply and why.
| Annex A Control | Applicable? | Cloud Extension (ISO 27017) | Cloud Scope |
|---|---|---|---|
| A.8.1 Asset Management | ✅ Yes | CLD.8.1.5 – Removal of assets | AWS, Azure |
| A.8.9 Configuration Management | ✅ Yes | CLD.9.5.2 – VM hardening | All cloud VMs |
| A.12.6 Vulnerability Management | ✅ Yes | CLD.9.5.2 – VM hardening | Cloud workloads |
| A.12.4 Logging | ✅ Yes | CLD.12.4.5 – Cloud monitoring | All cloud platforms |
Your SoA is not a static document. It is a living map of your control environment. Update it once. Reference it everywhere.
Step 2: Create a Shared Responsibility Matrix
The dirty secret of cloud compliance: every organization has a shared responsibility model. Few organizations have a documented, auditable shared responsibility matrix.
| Cloud Service | CSP Responsibility | CSC Responsibility | Control Mapping |
|---|---|---|---|
| EC2 (IaaS) | Hypervisor, physical network, global infrastructure | Guest OS, applications, security groups, IAM | CLD.9.5.2 VM Hardening |
| RDS (PaaS) | Database engine, infrastructure security | Data, access controls, encryption at rest | CLD.6.3.1 Shared Roles |
| S3 (Storage) | Infrastructure, durability, availability | Bucket policies, data classification, public access | CLD.8.1.5 Asset Return |
| Azure AD (IDaaS) | Service availability, security controls | Tenant configuration, conditional access, MFA | CLD.12.4.5 Monitoring |
This matrix must be:
- Documented (not tribal knowledge passed between engineers)
- Approved (signed by cloud architect AND CISO)
- Accessible (in your ISMS, not a forgotten SharePoint folder)
- Reviewed (annually, or when any cloud service changes scope)
Step 3: Update Your Risk Assessment for Cloud-Specific Threats
Your existing risk register contains threats relevant to on-premise infrastructure. These are not your primary cloud risks anymore.
Cloud-Specific Threats Your Risk Register Is Missing
| Threat Category | Real-World Example | ISO 27017 Control |
|---|---|---|
| Multi-tenancy isolation failure | Container breakout in shared cluster | CLD.9.5.1 Segregation |
| Insecure CSP APIs | Compromised CI/CD credentials provision cryptominers | CLD.6.3.1 Shared Roles |
| Data residency violation | Backups replicated to unauthorized region | CLD.8.1.5 Asset Return |
| Shadow cloud procurement | Marketing launches SaaS without security review | CLD.6.3.1 Shared Roles |
| CSP lock-in | Cannot migrate workloads due to proprietary services | CLD.8.1.5 Asset Return |
| Incomplete data deletion | Storage snapshots retain deleted customer PII | CLD.8.1.5 Asset Return |
| Configuration drift | Security groups drift from approved baseline | CLD.12.4.5 Monitoring |
| Risk ID | Threat | Asset | Inherent Risk | Cloud Control | Residual Risk | Owner |
|---|---|---|---|---|---|---|
| RISK-042 | Publicly exposed S3 bucket | Customer PII | Critical | CLD.15.1.3 Network alignment | High | Cloud Sec Eng |
| RISK-089 | Unpatched EC2 vulnerability | Production workloads | High | CLD.9.5.2 VM hardening | Medium | DevOps Lead |
| RISK-112 | No cloud access reviews | Service accounts | High | CLD.6.3.1 Shared roles | Medium | IAM Owner |
Now your risk register reflects where your data actually lives.
Step 4: Adjust Your Policies (Without Rewriting Everything)
| Existing Policy | What to Add | ISO 27017 Reference |
|---|---|---|
| Access Control Policy | Cloud console access requires MFA. Service accounts require annual recertification. Temporary privilege elevation requires documented approval. | CLD.6.3.1 Shared Roles |
| Configuration Management Policy | All production virtual machines must originate from approved golden images. Drift detection must be configured and reviewed weekly. | CLD.9.5.2 VM hardening |
| Network Security Policy | Security group rules must be reviewed quarterly. 0.0.0.0/0 ingress is prohibited except for approved public endpoints. | CLD.15.1.3 Network alignment |
| Monitoring Policy | Cloud audit logs must be enabled for all services, retained for 365 days, and reviewed weekly by the security operations team. | CLD.12.4.5 Cloud monitoring |
| Supplier Security Policy | All cloud providers must complete an annual security assessment. Contracts must include right-to-audit clauses and data return/deletion commitments. | CLD.8.1.5 Asset Return |
| Incident Response Policy | Cloud security incidents require coordination with the CSP. Forensic access to cloud environments must be pre-authorized. | CLD.12.1.5 Admin security |
Now you do not have a separate “cloud policy” that collects dust. You have an integrated policy set that acknowledges where workloads actually run.
Step 5: Extend Your Evidence Collection (Not Your Workload)
| ISO 27017 Control | Required Evidence | Where It Lives Today | Where It Should Live |
|---|---|---|---|
| CLD.9.5.2 VM hardening | CIS benchmark scan reports | AWS Inspector console | /Controls/Cloud/VM Hardening/ |
| CLD.15.1.3 Network alignment | Security group review attestations | Jira tickets, closed | /Controls/Cloud/Network/ |
| CLD.12.4.5 Cloud monitoring | CloudTrail/Activity Log enablement proof | Azure Log Analytics | /Controls/Cloud/Monitoring/ |
| CLD.6.3.1 Shared roles | Service account permission reviews | Email inbox | /Controls/Cloud/Access/ |
| CLD.8.1.5 Asset return | Offboarding confirmation | Slack messages | /Controls/Cloud/AssetLifecycle/ |
The Fix
Do not create new evidence collection. Redirect existing evidence flows.
| Evidence Type | Source | Automation | Destination |
|---|---|---|---|
| VM scan report | AWS Inspector / Azure Defender | Power Automate | /Controls/Cloud/VM Hardening/ |
| Security group rules | AWS Config / Azure Policy | Scheduled export | /Controls/Cloud/Network/ |
| Audit log health | CloudTrail / Activity Log | Daily status check | /Controls/Cloud/Monitoring/ |
| Service account review | Access certification campaign | Quarterly workflow | /Controls/Cloud/Access/ |
| Offboarding confirmation | IT ticketing system | Webhook | /Controls/Cloud/AssetLifecycle/ |
Now evidence collection is not a manual activity. It is a byproduct of normal cloud operations.
The 90-Day Cloud Extension Roadmap
| Phase | Weeks | Activity | Output |
|---|---|---|---|
| 1. Discovery | 1–2 | Inventory all cloud services (sanctioned + shadow) | Cloud asset register |
| 2. Gap Analysis | 3–4 | Compare current ISMS against ISO 27017 controls | Gap assessment report |
| 3. SoA Update | 5 | Add ISO 27017 controls; document exclusions | Updated Statement of Applicability |
| 4. Shared Responsibility | 6–7 | Document CSP/CSC responsibilities per service | Approved SRM |
| 5. Risk Update | 8–9 | Add cloud threat scenarios; reassess risk scores | Updated risk register |
| 6. Policy Update | 10–11 | Integrate cloud requirements into existing policies | Revised policy documents |
| 7. Evidence Remediation | 12 | Connect cloud evidence sources to ISMS | Populated evidence folders |
| 8. Internal Audit | 13 | Pre-audit against ISO 27017 extension | Internal audit report |
| 9. Certification Audit | 14–17 | Stage 1 + Stage 2 with your certification body | ISO 27017 endorsement |
Why This Works Better With Our SharePoint ISMS Platform
You already have an ISMS. You already have SharePoint. You do not need new software. You need pre-configured cloud controls.
| ISO 27017 Requirement | DIY Approach | Our Platform Delivers |
|---|---|---|
| Updated SoA | Manual data entry, cross-reference errors | ISO 27017 controls pre-loaded. Click “Applicable.” Done. |
| Shared responsibility matrix | Create from blank. Who owns what? Fight ensues. | Template with AWS/Azure/GCP service mappings. 30 minutes. |
| Cloud risk scenarios | Brainstorming sessions. Missed threats. | Pre-loaded threat library per cloud service. Select. Assess. |
| VM hardening evidence | “Can someone grab an Inspector report?” | Pre-configured evidence folder. Connector to AWS Inspector. |
| Policy updates | Lawyers. Reviews. Redlines. | Cloud-ready policy templates. Edit. Publish. |
| Audit readiness | Panic. | All controls mapped. All evidence organized. Open folder. |
The 15-Minute Cloud Extension Diagnostic
You do not need to guess whether your ISMS is ready for ISO 27017.
Book 15 minutes with our team.
We will open your current ISMS (or our demo tenant). We will show you:
- Which of the 7 ISO 27017 controls you already satisfy (most organizations are 3–4 controls deep without knowing it)
- Where your shared responsibility documentation has gaps (this is where 80% of cloud audit findings originate)
- One control you can close this week with evidence already in your cloud environment
This is not a sales pitch. It is a gap analysis.
The Question Every Compliance Leader Must Answer
Yes. The blueprint is in this blog post. The controls are published. The methodology is clear.
Only if you have 90 days, a compliance team that understands cloud architecture, an engineering team that has bandwidth for “compliance projects,” and an audit deadline that is flexible.
If your audit deadline is not flexible book the call.
Our platform deploys in days. Not months. The controls are pre-mapped. The evidence folders are pre-created. The shared responsibility matrix is pre-populated.
Conclusion: From On-Premise to Cloud-Native Compliance
Your ISO 27001 certificate still accurately reflects your on-premise controls from years past. But your workloads are no longer on premise.
The gap between where your controls are documented and where your data actually lives is where audit findings breed.
ISO 27017 closes that gap by providing:
- Clear shared responsibility definitions
- Seven cloud-specific controls
- Implementation guidance for both providers and customers
- A framework for extending your ISMS without starting over
The companies that treat ISO 27017 as a “cloud add-on” spend their careers chasing evidence. The companies that treat it as an ISMS extension spend their time actually securing cloud workloads.
ISO 27017 Extension Checklist
| Task | Done? |
|---|---|
| Add the 7 ISO 27017 controls to your SoA | ☐ |
| Document a shared responsibility matrix per cloud service | ☐ |
| Add cloud threat scenarios to your risk register | ☐ |
| Update existing policies with cloud-specific requirements | ☐ |
| Map evidence sources and redirect evidence to cloud control folders | ☐ |
| Run an internal audit against the ISO 27017 extension | ☐ |
Follow Canadian Cyber
Get practical ISMS automation playbooks, evidence workflows, and audit-readiness tips.
