ISO 27001ISO 27017ISO 27018

ISO 27001 vs 27017 vs 27018: which ones do you need for cloud?

ISO 27001 is the framework. 27017 and 27018 are cloud-specific extensions. Which certification stack you actually need to bid for public-sector contracts.

2 min read

TL;DR

ISO 27001 is the general information security framework. ISO 27017 is the cloud-specific extension. ISO 27018 is the cloud privacy and personal data extension. A serious cloud provider needs all three. As a B2B customer, you just need to verify the provider has them.

What each standard covers

ISO/IEC 27001:2022

The standard for information security management systems (ISMS). Defines policies, roles, controls (Annex A with 93 controls). Applicable to any organisation, not just cloud.

ISO/IEC 27017:2015

Guidelines on security controls for cloud services. Extends ISO 27001 Annex A with cloud-specific controls (e.g. secure data deletion at contract end, tenant segregation).

ISO/IEC 27018:2019

Guidelines for protecting personal data (PII) in the cloud. Reference for cloud providers handling GDPR data.

When each is needed

| Scenario | Needed | |---|---| | Non-cloud company | 27001 | | B2B cloud provider | 27001 + 27017 | | Cloud provider handling personal data | 27001 + 27017 + 27018 | | Italian public tenders | 27001 + 27017 + 27018 |

Sefthy is certified on all three + ISO 9001 (quality).

Practical differences for customers

Customers evaluating a cloud provider should look at the certification stack, not a single one.

  • Just 27001? Generic provider, not cloud-specialised.
  • 27001 + 27017? Cloud-aware, but missing the GDPR-specific guarantee.
  • All three? Serious cloud provider, GDPR-aligned.

Cost of certification

For an average cloud provider:

  • ISO 27001:2022: €25-50k year one + €10-15k maintenance.
  • Adding 27017: €5-10k.
  • Adding 27018: €5-10k.
  • Total year one: €35-70k.

ROI in 18-24 months for providers selling to regulated B2B.

FAQ

Does the B2B customer need 27017?

No. The cloud provider needs it. The B2B customer needs 27001 only (if they themselves are subject to 27001).

Is 27018 mandatory for GDPR?

No, but it greatly simplifies the cloud provider's GDPR documentation toward customers.

Are there newer certifications?

ENISA EUCS is coming. For now ISO remains the de-facto standard.

For the pillar guide, ISO 27001:2022 and continuity. For cloud provider vetting, Vetting cloud providers under ISO 27001.

Want to see Sefthy in action?

Same IP, same subnet, RTO in minutes. Try it free for 7 days or talk to one of our specialists.

See pricing Request a demo