What is the primary objective of ISO 27017?

ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4). Published in 2015, it addresses shared responsibilities between cloud service providers (CSPs) and cloud service customers (CSCs), covering multi-tenancy segregation, virtual machine hardening, asset removal/return, administrative operations security, customer monitoring, and virtual network alignment within an ISO 27001 ISMS.

Who is legally or professionally required to comply with ISO 27017?

No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice. Professionally, CSPs and CSCs with significant cloud footprints adopt it to demonstrate due diligence, especially in regulated sectors or procurement demanding cloud security assurance; ~94% of organizations use cloud services, with 61% reporting incidents driving its relevance.

Does ISO 27017 require an external audit or third-party certification?

ISO 27017 does not require standalone external audit or certification, as it is not a certifiable management system. Controls are assessed within an ISO 27001 audit by accredited certification bodies, often via joint scope inclusion, yielding ISO 27001 certificates referencing ISO 27017 conformance.

How often should an assessment for ISO 27017 be performed?

ISO 27017 assessments occur during annual ISO 27001 surveillance audits and triennial re-certification. Continuous monitoring of cloud controls (e.g., configurations, logging) supports ongoing effectiveness, with formal re-assessments triggered by significant changes like new services or risk updates.

What are the consequences of non-compliance with ISO 27017?

Non-compliance with ISO 27017 carries no direct legal penalties, as it is voluntary. Indirect consequences include heightened breach risk from unaddressed cloud threats (e.g., multi-tenancy failures), failed procurements, regulatory scrutiny under data laws, and loss of market differentiation for CSPs.

Can ISO 27017 be mapped to other international frameworks?

Yes, ISO 27017 maps directly to ISO 27001/27002 controls and aligns with frameworks like NIST SP 800-53 and CSA STAR via its 37 extended and 7 CLD controls. ~70% of CSPs map it for cross-framework compliance, facilitating unified evidence in multi-standard environments.

What is the first step to begin implementing ISO 27017?

Conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls. Define ISMS scope including cloud services, document shared CSP/CSC responsibilities (per CLD.6.3.1), and update the Statement of Applicability with the 37 guided and 7 CLD controls.

What is the primary objective of MLPS 2.0 (Multi-Level Protection Scheme)?

The primary objective of MLPS 2.0 is to classify information systems into five protection levels based on potential harm to national security, social order, and public interests, ensuring commensurate technical, management, and governance controls. Originating from China's 2017 Cybersecurity Law (Article 21), it mandates network operators to prevent attacks, data breaches, and disruptions through graded requirements in standards like GB/T 22239-2019, covering cloud, IoT, big data, and industrial systems.

Who is legally or professionally required to comply with MLPS 2.0 (Multi-Level Protection Scheme)?

All network operators in mainland China, including domestic firms, foreign-invested enterprises, and multinationals with local systems, must comply with MLPS 2.0. This encompasses operators of IT networks, cloud platforms, IoT, big data, and industrial controls, with critical sectors like finance, energy, and telecom often at Level 3+.

Does MLPS 2.0 (Multi-Level Protection Scheme) require an external audit or third-party certification?

Yes, MLPS 2.0 requires external security reviews by licensed Chinese firms for Level 2+ systems, with PSB approval and a minimum passing score of 70/100. Level 3+ demands annual evaluations per GB/T 28448-2019, including documentation, testing, and on-site inspections.

How often should an assessment for MLPS 2.0 (Multi-Level Protection Scheme) be performed?

Assessments under MLPS 2.0 must occur biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5, plus after major changes. Self-inspections are continuous, with re-evaluations triggered by architecture shifts like cloud migrations.

What are the consequences of non-compliance with MLPS 2.0 (Multi-Level Protection Scheme)?

Non-compliance with MLPS 2.0 results in fines up to 100,000 yuan, operational suspensions, system shutdowns, and intensified PSB inspections. Enforcement links to business license renewals, with cases of multi-million yuan fines for data failures.

Can MLPS 2.0 (Multi-Level Protection Scheme) be mapped to other international frameworks?

Yes, MLPS 2.0 maps to frameworks like ISO 27001 and NIST CSF, aligning organizational, physical, and technical controls. Leverage ISO's Statement of Applicability for MLPS gap analysis, though MLPS adds prescriptive grading and PSB oversight.

What is the first step to begin implementing MLPS 2.0 (Multi-Level Protection Scheme)?

The first step is conducting a provisional self-assessment to classify systems into Levels 1-5 based on impact to national security and social order. Inventory assets, document rationale per GB/T 22239-2019, then file with local PSB within 30 days for Level 2+.

Standards Comparison

ISO 27017 vs MLPS 2.0 (Multi-Level Protection Scheme)

ISO 27017

Voluntary

2015

International code for cloud-specific security controls

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

N/A

China's mandatory graded cybersecurity protection scheme

Quick Verdict

ISO 27017 provides voluntary cloud security guidance integrated into global ISMS for CSPs worldwide, while MLPS 2.0 mandates graded protections for all Chinese networks with PSB enforcement. Companies adopt ISO for trust, MLPS for legal compliance.

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities between CSPs and CSCs
Introduces seven cloud-specific security controls
Ensures multi-tenant segregation and VM hardening
Mandates secure asset removal and data lifecycle management
Enables customer monitoring of cloud service activities

Standard

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five impact-based protection levels for systems
Mandatory classification and PSB registration Level 2+
Technical controls for cloud, IoT, big data
Governance, personnel, third-party management requirements
Third-party audits scoring 70/100 minimum

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice providing cloud-specific guidance for information security controls based on ISO/IEC 27002. It extends ISO 27001 ISMS for cloud environments, addressing shared responsibilities in IaaS, PaaS, SaaS across public, private, hybrid deployments. Its risk-based approach adapts controls to unique cloud risks like multi-tenancy and virtualization.

Key Components

Additional implementation guidance for 37 ISO 27002 controls in cloud contexts.
Seven new CLD controls: shared roles, VM segregation/hardening, admin operations, customer monitoring, asset removal.
Built on ISO 27001; integrated into ISMS audits, no standalone certification.
Dual perspectives for CSPs and CSCs.

Why Organizations Use It

Resolves shared responsibility ambiguities, preventing security gaps.
Supports regulatory compliance (GDPR, CCPA) and procurement demands.
Enhances risk management for cloud incidents.
Provides competitive differentiation and customer trust.
Boosts reputation via auditable cloud security posture.

Implementation Overview

Integrate via ISO 27001 risk assessment, control mapping, SoA updates.
Implement configurations, policies, training; audit as 27001 extension.
Applies to CSPs/CSCs of all sizes globally.
Joint audits (9-12 months) with 27001 reduce costs.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's legally mandated regulatory framework for cybersecurity, operationalizing Article 21 of the 2016 Cybersecurity Law. It requires network operators to classify systems into five protection levels based on potential harm to national security, social order, and public interests, applying graded technical, governance, and physical controls.

Key Components

Domains: physical security, network protection, access control, data security, monitoring, governance.
Standards: GB/T 22239-2019 (baseline), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Compliance: self-classification, third-party audits (Level 2+), PSB approval, periodic re-evaluations.

Why Organizations Use It

Avoids fines, license suspensions, inspections.
Strengthens resilience against cyber threats.
Essential for China market access, operations.
Builds regulator trust, competitive edge.

Implementation Overview

Phased: inventory, classify, gap analysis, remediate, audit, monitor.
Targets all China-based network operators; intensive for multinationals.
Mandatory audits, filings for Level 2+ systems.

Key Differences

Aspect	ISO 27017	MLPS 2.0 (Multi-Level Protection Scheme)
Scope	Cloud-specific security controls for ISMS	Graded protection for all networks/systems
Industry	All industries, global CSPs/customers	All sectors in China, mandatory for operators
Nature	Voluntary guidance, ISO 27001 extension	Mandatory regulation, enforced by PSBs
Testing	ISO 27001 audits include 27017 controls	Third-party evaluations, PSB approval Level 2+
Penalties	Loss of certification, no legal fines	Fines, suspensions, operational shutdowns

Scope

ISO 27017

Cloud-specific security controls for ISMS

MLPS 2.0 (Multi-Level Protection Scheme)

Graded protection for all networks/systems

Industry

ISO 27017

All industries, global CSPs/customers

MLPS 2.0 (Multi-Level Protection Scheme)

All sectors in China, mandatory for operators

Nature

ISO 27017

Voluntary guidance, ISO 27001 extension

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory regulation, enforced by PSBs

Testing

ISO 27017

ISO 27001 audits include 27017 controls

MLPS 2.0 (Multi-Level Protection Scheme)

Third-party evaluations, PSB approval Level 2+

Penalties

ISO 27017

Loss of certification, no legal fines

MLPS 2.0 (Multi-Level Protection Scheme)

Fines, suspensions, operational shutdowns

Frequently Asked Questions

Common questions about ISO 27017 and MLPS 2.0 (Multi-Level Protection Scheme)

ISO 27017 FAQ

MLPS 2.0 (Multi-Level Protection Scheme) FAQ

You Might also be Interested in These Articles...

Beyond the Checkbox: Why Maturity Assessments are the Secret to Sustainable Compliance

Discover why maturity assessments beat binary compliance checks by uncovering hidden gaps and enabling continuous improvement for sustainable success. Read now!

The NIS2 "FTE Trap": Why 5 Analysts for 24/7 Security is Actually 8 (and Why the Board Needs to Know)

Exposed: NIS2 FTE Trap math shows 5 analysts fail 24/7 coverage due to sickness, training, leave & 2026 churn. Line-by-line breakdown for compliance. Alert your

The 'Black Box' Risk: Why Human-in-the-Loop is the Ultimate Fail-Safe for 2026 Security Operations

Uncover the black box AI risk in security ops. Learn why human-in-the-loop auditing is crucial for 2026. Upskill analysts to ensure data privacy and robust secu

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 27017 and MLPS 2.0 (Multi-Level Protection Scheme) compare against other standards

Other ISO 27017 Comparisons

Other MLPS 2.0 (Multi-Level Protection Scheme) Comparisons

What It Is

Key Components

Additional implementation guidance for 37 ISO 27002 controls in cloud contexts.

Seven new CLD controls: shared roles, VM segregation/hardening, admin operations, customer monitoring, asset removal.

Built on ISO 27001; integrated into ISMS audits, no standalone certification.

Dual perspectives for CSPs and CSCs.

What It Is

Key Components

Domains: physical security, network protection, access control, data security, monitoring, governance.

Standards: GB/T 22239-2019 (baseline), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).

Compliance: self-classification, third-party audits (Level 2+), PSB approval, periodic re-evaluations.

Aspect

ISO 27017

MLPS 2.0 (Multi-Level Protection Scheme)

Scope

Cloud-specific security controls for ISMS

Graded protection for all networks/systems

Industry

All industries, global CSPs/customers

All sectors in China, mandatory for operators

Nature

Voluntary guidance, ISO 27001 extension

Mandatory regulation, enforced by PSBs

Testing

ISO 27001 audits include 27017 controls

Third-party evaluations, PSB approval Level 2+

Penalties

Loss of certification, no legal fines

Fines, suspensions, operational shutdowns