What is the primary objective of **ISO 27017**?

**ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4).** Published in 2015, it addresses shared responsibilities between **cloud service providers (CSPs)** and **cloud service customers (CSCs)**, covering multi-tenancy segregation, virtual machine hardening, asset removal/return, administrative operations security, customer monitoring, and virtual network alignment within an **ISO 27001 ISMS**.

Who is legally or professionally required to comply with **ISO 27017**?

**No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice.** Professionally, **CSPs** and **CSCs** with significant cloud footprints adopt it to demonstrate due diligence, especially in regulated sectors or procurement demanding cloud security assurance; ~94% of organizations use cloud services, with 61% reporting incidents driving its relevance.

Does **ISO 27017** require an external audit or third-party certification?

**ISO 27017 does not require standalone external audit or certification, as it is not a certifiable management system.** Controls are assessed within an **ISO 27001** audit by accredited certification bodies, often via joint scope inclusion, yielding ISO 27001 certificates referencing ISO 27017 conformance.

How often should an assessment for **ISO 27017** be performed?

**ISO 27017 assessments occur during annual ISO 27001 surveillance audits and triennial re-certification.** Continuous monitoring of cloud controls (e.g., configurations, logging) supports ongoing effectiveness, with formal re-assessments triggered by significant changes like new services or risk updates.

What are the consequences of non-compliance with **ISO 27017**?

**Non-compliance with ISO 27017 carries no direct legal penalties, as it is voluntary.** Indirect consequences include heightened breach risk from unaddressed cloud threats (e.g., multi-tenancy failures), failed procurements, regulatory scrutiny under data laws, and loss of market differentiation for CSPs.

Can **ISO 27017** be mapped to other international frameworks?

**Yes, ISO 27017 maps directly to ISO 27001/27002 controls and aligns with frameworks like NIST SP 800-53 and CSA STAR via its 37 extended and 7 CLD controls.** ~70% of CSPs map it for cross-framework compliance, facilitating unified evidence in multi-standard environments.

What is the first step to begin implementing **ISO 27017**?

**Conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls.** Define ISMS scope including cloud services, document shared CSP/CSC responsibilities (per CLD.6.3.1), and update the Statement of Applicability with the 37 guided and 7 CLD controls.

What is the primary objective of **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The primary objective of MLPS 2.0 is to classify information systems into five protection levels based on potential harm to national security, social order, and public interests, ensuring commensurate technical, management, and governance controls.** Originating from China's 2017 Cybersecurity Law (Article 21), it mandates network operators to prevent attacks, data breaches, and disruptions through graded requirements in standards like GB/T 22239-2019, covering cloud, IoT, big data, and industrial systems.

Who is legally or professionally required to comply with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**All network operators in mainland China, including domestic firms, foreign-invested enterprises, and multinationals with local systems, must comply with MLPS 2.0.** This encompasses operators of IT networks, cloud platforms, IoT, big data, and industrial controls, with critical sectors like finance, energy, and telecom often at Level 3+.

Does **MLPS 2.0 (Multi-Level Protection Scheme)** require an external audit or third-party certification?

**Yes, MLPS 2.0 requires external security reviews by licensed Chinese firms for Level 2+ systems, with PSB approval and a minimum passing score of 75/100.** Level 3+ demands annual evaluations per GB/T 28448-2019, including documentation, testing, and on-site inspections.

How often should an assessment for **MLPS 2.0 (Multi-Level Protection Scheme)** be performed?

**Assessments under MLPS 2.0 must occur biennially for Level 2, annually for Level 3, semi-annually for Level 4, and as mandated for Level 5, plus after major changes.** Self-inspections are continuous, with re-evaluations triggered by architecture shifts like cloud migrations.

What are the consequences of non-compliance with **MLPS 2.0 (Multi-Level Protection Scheme)**?

**Non-compliance with MLPS 2.0 results in fines up to 100,000 yuan, operational suspensions, system shutdowns, and intensified PSB inspections.** Enforcement links to business license renewals, with cases like a RMB 223 million bank fine for data failures.

Can **MLPS 2.0 (Multi-Level Protection Scheme)** be mapped to other international frameworks?

**Yes, MLPS 2.0 maps to frameworks like ISO 27001 and NIST CSF, aligning organizational, physical, and technical controls.** Leverage ISO's Statement of Applicability for MLPS gap analysis, though MLPS adds prescriptive grading and PSB oversight.

What is the first step to begin implementing **MLPS 2.0 (Multi-Level Protection Scheme)**?

**The first step is conducting a provisional self-assessment to classify systems into Levels 1-5 based on impact to national security and social order.** Inventory assets, document rationale per GB/T 22239-2019, then file with local PSB within 30 days for Level 2+.

ISO 27017 vs MLPS 2.0 (Multi-Level Protection Scheme)

Standards Comparison

ISO 27017

Voluntary

2015

International code for cloud-specific security controls

MLPS 2.0 (Multi-Level Protection Scheme)

Mandatory

N/A

China's mandatory graded cybersecurity protection scheme

Quick Verdict

ISO 27017 provides voluntary cloud security guidance integrated into global ISMS for CSPs worldwide, while MLPS 2.0 mandates graded protections for all Chinese networks with PSB enforcement. Companies adopt ISO for trust, MLPS for legal compliance.

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities between CSPs and CSCs
Introduces seven cloud-specific security controls
Ensures multi-tenant segregation and VM hardening
Mandates secure asset removal and data lifecycle management
Enables customer monitoring of cloud service activities

Standard

MLPS 2.0 (Multi-Level Protection Scheme)

Multi-Level Protection Scheme 2.0

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Five impact-based protection levels for systems
Mandatory classification and PSB registration Level 2+
Technical controls for cloud, IoT, big data
Governance, personnel, third-party management requirements
Third-party audits scoring 75/100 minimum

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice providing cloud-specific guidance for information security controls based on ISO/IEC 27002. It extends ISO 27001 ISMS for cloud environments, addressing shared responsibilities in IaaS, PaaS, SaaS across public, private, hybrid deployments. Its risk-based approach adapts controls to unique cloud risks like multi-tenancy and virtualization.

Key Components

Additional implementation guidance for 37 ISO 27002 controls in cloud contexts.
Seven new CLD controls: shared roles, VM segregation/hardening, admin operations, customer monitoring, asset removal.
Built on ISO 27001; integrated into ISMS audits, no standalone certification.
Dual perspectives for CSPs and CSCs.

Why Organizations Use It

Resolves shared responsibility ambiguities, preventing security gaps.
Supports regulatory compliance (GDPR, CCPA) and procurement demands.
Enhances risk management for cloud incidents.
Provides competitive differentiation and customer trust.
Boosts reputation via auditable cloud security posture.

Implementation Overview

Integrate via ISO 27001 risk assessment, control mapping, SoA updates.
Implement configurations, policies, training; audit as 27001 extension.
Applies to CSPs/CSCs of all sizes globally.
Joint audits (9-12 months) with 27001 reduce costs.

MLPS 2.0 (Multi-Level Protection Scheme) Details

What It Is

MLPS 2.0 (Multi-Level Protection Scheme 2.0) is China's legally mandated regulatory framework for cybersecurity, operationalizing Article 21 of the 2016 Cybersecurity Law. It requires network operators to classify systems into five protection levels based on potential harm to national security, social order, and public interests, applying graded technical, governance, and physical controls.

Key Components

Domains: physical security, network protection, access control, data security, monitoring, governance.
Standards: GB/T 22239-2019 (baseline), GB/T 25070-2019 (technical), GB/T 28448-2019 (evaluation).
Compliance: self-classification, third-party audits (Level 2+), PSB approval, periodic re-evaluations.

Why Organizations Use It

Avoids fines, license suspensions, inspections.
Strengthens resilience against cyber threats.
Essential for China market access, operations.
Builds regulator trust, competitive edge.

Implementation Overview

Phased: inventory, classify, gap analysis, remediate, audit, monitor.
Targets all China-based network operators; intensive for multinationals.
Mandatory audits, filings for Level 2+ systems.

Key Differences

Aspect	ISO 27017	MLPS 2.0 (Multi-Level Protection Scheme)
Scope	Cloud-specific security controls for ISMS	Graded protection for all networks/systems
Industry	All industries, global CSPs/customers	All sectors in China, mandatory for operators
Nature	Voluntary guidance, ISO 27001 extension	Mandatory regulation, enforced by PSBs
Testing	ISO 27001 audits include 27017 controls	Third-party evaluations, PSB approval Level 2+
Penalties	Loss of certification, no legal fines	Fines, suspensions, operational shutdowns