Seguridad en la nube

ISO 27017 · ISO 27018

Every time your company uses Microsoft 365, AWS or any public cloud, your clients' and employees' data is in a third party's hands. ISO 27017 and ISO 27018 are the international standards that define how to protect that data and demonstrate that commitment to clients, auditors and regulators.

StandardsISO/IEC 27017:2015 · ISO/IEC 27018:2025
Estimated duration4-6 months (on top of existing ISO 27001)
ScopeCompanies using services or data in the public cloud

The cloud has changed where data lives, but it has not changed who is accountable to regulators or to a client when a breach occurs. ISO 27017 adds 37 controls adapted to the cloud environment (plus 7 exclusive to cloud) on top of the baseline requirements of ISO 27001: it defines which responsibilities belong to the provider and which to the customer, how to harden virtual machines, how to ensure segregation between environments, and how to monitor what happens inside the service. The result is a clear security map for any company that uses infrastructure as a service (IaaS), platform (PaaS) or software (SaaS).

ISO 27018, in its most recent edition (2025), goes a step further and focuses on personal data: it establishes a set of controls aimed at ensuring informed consent, limiting the use of information to contracted purposes, facilitating secure deletion at the end of the service, and maintaining transparency about the sub-processors used. Its principles are complementary to the GDPR, so implementing ISO 27018 directly strengthens regulatory compliance that is already required. The August 2025 edition also incorporates specific guidance for containers and microservices, aligned with current cloud architectures.

Neither standard is independently certifiable: they are audited as extensions of the Information Security Management System (ISMS) based on ISO 27001. This means that if your company already has — or is in the process of implementing — ISO 27001, adding the scope of ISO 27017 and ISO 27018 does not mean starting from scratch: it means extending the ISMS with cloud-specific controls and subjecting that expanded scope to a third-party accredited audit (AENOR, Bureau Veritas, SGS or another body). The certificate issued by that third party is what accredits conformity; Summum Calidad guides you through the entire preparation process.

The ISO 27017 process.

The process · four stages
01

Cloud maturity diagnosis

We map all the cloud services your company uses (SaaS, IaaS, PaaS), identify which personal or critical data resides in them, and assess the current level of control against the requirements of ISO 27017 and ISO 27018. The output is a gap report with risk-based prioritisation.

02

Control design and implementation

We develop or adapt the policies, procedures and technical measures required: shared-responsibility clauses with cloud providers, virtual environment hardening, encryption of data in transit and at rest, sub-processor management, secure data deletion and offboarding procedures, and cloud-specific incident response mechanisms.

03

Integration into the ISMS

We extend the scope of the ISO 27001 ISMS (existing or in implementation) to include the controls of ISO 27017 and ISO 27018. We update the statement of applicability, the risk assessment and the system documentation so that everything is traced and audited.

04

Audit and certification support

We carry out an internal pre-audit to detect non-conformities before the certification body does. We accompany you throughout the third-party audit — answering technical questions, providing evidence, coordinating with the team — until the certificate is issued.

What is included

What ISO 27017 includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Cloud service inventory and classification

    Complete catalogue of providers, contracts and data processed in the cloud, with responsibilities assigned according to the shared-responsibility model.

  • Cloud security policies

    Documentation of controls specific to IaaS, PaaS and SaaS: privileged access, virtual network segmentation, hardening of virtual machine images.

  • Cloud privacy framework (ISO 27018)

    Procedures for consent, retention, portability and deletion of personal data hosted in public clouds, aligned with the GDPR.

  • Sub-processor management

    Up-to-date register of cloud providers' sub-processors, security level assessment and mandatory contractual clauses.

  • Cloud incident response plan

    Specific procedure for security breaches in cloud environments: containment, notification to the supervisory authority within the legal deadline (72 hours), communication to data subjects and recovery.

  • Internal audit and certification pre-audit

    Independent review of the system before the external audit, with a findings report and corrective action plan so there are no surprises at certification.

Summum cluster

How it connects with its sisters.

Cloud security intersects with the managed cybersecurity strategy of Summum Sistemas (SOC and cloud) and with the regulatory compliance services of Summum Consultoría (NIS2, GDPR, external DPO): when a project requires it, all three teams work in a coordinated way so the client does not have to manage three separate providers.

Frequently asked questions about ISO 27017.

Can I be certified in ISO 27017 or ISO 27018 independently?

No. Neither standard is independently certifiable. Certification is obtained by expanding the scope of an ISO 27001-based ISMS: the accredited certification body audits the system as a whole and includes coverage of ISO 27017 and ISO 27018 in the certificate. Summum Calidad guides you from diagnosis to certificate issuance, but it is always an accredited third party (AENOR, Bureau Veritas, SGS, etc.) that issues the certificate.

What is the difference between ISO 27017 and ISO 27018?

ISO 27017 addresses technical and organisational security in the cloud: it defines controls for cloud providers and customers covering hardening, segregation, monitoring and shared responsibilities. ISO 27018 focuses specifically on personal data (PII) processed in public clouds when the provider acts as a data processor: consent, purpose limitation, secure deletion and transparency towards data subjects. They are complementary and are typically implemented together.

Does ISO 27018 replace or duplicate the GDPR?

It does not replace the GDPR: the standard has no force of law. What it does is provide a technical and documentary framework that facilitates GDPR compliance in the cloud environment, covering gaps that the regulation does not address at the level of specific controls. Having ISO 27018 implemented and audited strengthens your company's position in the event of a supervisory authority inspection and with clients that require guarantees about how their data is handled in the cloud.

What type of company should implement these standards?

Any company that uses public cloud services to process data belonging to clients, patients, employees or any identifiable person. The benefit is especially clear for: B2B service providers that undergo security audits from their clients; organisations in regulated sectors such as healthcare, finance or logistics; and those that, following the entry into force of NIS2, are classified as essential or important entities.

How long does it take to implement ISO 27017 and ISO 27018 on top of an existing ISO 27001?

If the company already has an operational ISO 27001-certified ISMS, the process of expanding its scope to include ISO 27017 and ISO 27018 can be completed in four to six months, depending on the complexity of the cloud services used and the number of providers involved. If the starting point is zero (no ISO 27001), the timeline is longer because the base ISMS must be built first.