Beyond 27001: Why ISO 27017, 27018, and 27036 Matter More Than You Think

February 25, 2023

The ISO 27017, ISO 27018, and ISO 27036 standards are part of the ISO 27000 series of standards, which provide guidelines and best practices for information security management. These standards specifically address security issues related to cloud computing, privacy protection, and supply chain security, respectively.

The ISO 27017 standard, which was published in 2015, provides guidelines for information security controls in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27017 standard are to: 


  • Provide a common framework for evaluating and implementing information security controls in the cloud 
  • Help organizations to ensure that their cloud services are secure, and that sensitive data is protected 
  • Provide guidance on implementing the security controls specified in the ISO 27001 standard in a cloud environment 

 

The scope of the ISO 27017 standard includes the following: 

 

  • Information security controls applicable to cloud services 
  • The use of cloud services in an organization's information security management system (ISMS) 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

The ISO 27018 standard, which was published in 2014, provides guidelines for protecting personal data in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27018 standard are to: 

 

  • Provide guidance on protecting personal data in the cloud 
  • Help organizations to comply with privacy laws and regulations 
  • Provide a common framework for evaluating and implementing privacy controls in the cloud 

 

The scope of the ISO 27018 standard includes the following: 

 

  • Privacy controls applicable to cloud services 
  • The use of cloud services in an organization's privacy management system 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

The ISO 27036 standard, which was published in 2016, provides guidelines for securing the supply chain in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27036 standard are to: 

 

  • Provide a common framework for evaluating and implementing supply chain security controls in the cloud 
  • Help organizations to ensure that their cloud services are secure and that sensitive data is protected 
  • Provide guidance on implementing the security controls specified in the ISO 27001 standard in a supply chain context 

 

The scope of the ISO 27036 standard includes the following: 

 

  • Supply chain security controls applicable to cloud services 
  • The use of cloud services in an organization's supply chain security management system 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

In summary, the ISO 27017, ISO 27018, and ISO 27036 standards provide guidelines and best practices for information security management in the cloud. These standards address specific security issues related to cloud computing, privacy protection, and supply chain security, respectively. By implementing the controls specified in these standards, organizations can ensure that their cloud services are secure, and that sensitive data is protected. 

Share this article

October 21, 2025
When businesses prepare for an AI audit, they usually focus on the big issues: data breaches, biased algorithms, or compliance with new regulations. Those are obviously important, but they’re not the reason most audits go wrong. More often than not, companies stumble on the basics. Missing documentation, vague accountability, and inconsistent monitoring. These small gaps are easy to overlook in day-to-day operations, but in an audit, they’re the first things the auditor will look at. Being perfect isn’t the goal when it comes to a successful audit. It’s much more important to get the fundamentals right. In this article, we’ll highlight seven common things companies forget when preparing for AI audits, and more importantly, how to fix them before they become costly mistakes.
alt=
October 14, 2025
In 2025, regulators worldwide are stepping in to make sure AI is used responsibly. For businesses, this means compliance with AI regulations is no longer optional. In this article, we’ll break down the most important ...
alt=
October 7, 2025
ISO/IEC 42001 is the first global standard for Artificial Intelligence Management Systems. Let's explore why auditing AI management systems requires a specialized approach, what ISO/IEC 42001 entails, and what Auditors need to know to succeed.
More Posts