Beyond 27001: Why ISO 27017, 27018, and 27036 Matter More Than You Think

The ISO 27017, ISO 27018, and ISO 27036 standards are part of the ISO 27000 series of standards, which provide guidelines and best practices for information security management. These standards specifically address security issues related to cloud computing, privacy protection, and supply chain security, respectively.

The ISO 27017 standard, which was published in 2015, provides guidelines for information security controls in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27017 standard are to:

Provide a common framework for evaluating and implementing information security controls in the cloud
Help organizations to ensure that their cloud services are secure, and that sensitive data is protected
Provide guidance on implementing the security controls specified in the ISO 27001 standard in a cloud environment

The scope of the ISO 27017 standard includes the following:

Information security controls applicable to cloud services
The use of cloud services in an organization's information security management system (ISMS)
The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services

The ISO 27018 standard, which was published in 2014, provides guidelines for protecting personal data in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27018 standard are to:

Provide guidance on protecting personal data in the cloud
Help organizations to comply with privacy laws and regulations
Provide a common framework for evaluating and implementing privacy controls in the cloud

The scope of the ISO 27018 standard includes the following:

Privacy controls applicable to cloud services
The use of cloud services in an organization's privacy management system
The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services

The ISO 27036 standard, which was published in 2016, provides guidelines for securing the supply chain in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27036 standard are to:

Provide a common framework for evaluating and implementing supply chain security controls in the cloud
Help organizations to ensure that their cloud services are secure and that sensitive data is protected
Provide guidance on implementing the security controls specified in the ISO 27001 standard in a supply chain context

The scope of the ISO 27036 standard includes the following:

Supply chain security controls applicable to cloud services
The use of cloud services in an organization's supply chain security management system
The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services

In summary, the ISO 27017, ISO 27018, and ISO 27036 standards provide guidelines and best practices for information security management in the cloud. These standards address specific security issues related to cloud computing, privacy protection, and supply chain security, respectively. By implementing the controls specified in these standards, organizations can ensure that their cloud services are secure, and that sensitive data is protected.

< Older Post

Newer Post >

Share this article

Your Data Isn't Anonymous — and AI Knows It

November 24, 2025

AI can re-identify individuals hidden in anonymous datasets. Learn how GDPR, the EU AI Act, and strong AI GRC frameworks protect privacy in an algorithmic world.

Free Training: Safety, Security, and Resilience in AI Systems

November 18, 2025

As AI becomes embedded in critical areas, like healthcare and finance, understanding the concept of safety has never been more important. In this video, we explore how the principles of safety, security and resilience form the foundation of trustworthy AI — preventing harm, protecting against attacks, and ensuring systems can recover from failure. You’ll learn how to apply these concepts in practice using global frameworks like ISO/IEC 42001, the EU AI Act, and the NIST AI RMF, and why these 3 principles must evolve together as part of a responsible AI governance strategy. Interested in learning more? Explore our AI GRC courses here.

Free Training: Privacy and Data Protection in AI Systems

November 18, 2025

How does AI handle personal data and what does that mean for privacy and compliance? In this video, we explore how artificial intelligence challenges traditional data protection principles, from consent and transparency to data minimisation and accountability. Learn how regulations like the EU AI Act and GDPR are shaping the future of responsible AI, and what GRC professionals need to know to manage privacy risk in intelligent systems. Interested in more information? Explore our AI GRC courses here.

Beyond 27001: Why ISO 27017, 27018, and 27036 Matter More Than You Think

Your Data Isn't Anonymous — and AI Knows It

Free Training: Safety, Security, and Resilience in AI Systems

Free Training: Privacy and Data Protection in AI Systems

Copyright 2025 iFactum® All Rights Reserved.

About Us

About SafeShield

Information Security Commitment

Commitment to our Customers

Privacy Policy

Cookie Declaration

Services

ISMS Implementation

Risk Assessments

Vulnerability Scans

Penetration Testing

Incident Response Planning

Security Audits

Business Continuity Planning

Security Training & Certification

Cybersecurity Training for Executives

Supply Chain Risk Management

Compliance Management

Continuous Compliance Monitoring

Contact Us

Chat with us or send your inquiry via our Contact Us form.