What is the primary objective of ISO 27017?

ISO 27017 provides cloud-specific implementation guidance for 37 ISO 27002 controls plus 7 additional cloud-focused controls (CLD.6.3.1, CLD.8.1.5, CLD.9.5.1, CLD.9.5.2, CLD.12.1.5, CLD.12.4.5, CLD.13.1.4). Published in 2015, it addresses shared responsibilities between cloud service providers (CSPs) and cloud service customers (CSCs), covering multi-tenancy segregation, virtual machine hardening, asset return/termination, administrative operations security, customer monitoring, and network alignment in IaaS, PaaS, and SaaS environments.

Who is legally or professionally required to comply with ISO 27017?

No organization is legally required to comply with ISO 27017, as it is a voluntary code of practice. It is professionally recommended for CSPs and CSCs with significant cloud footprints, particularly in regulated sectors facing procurement demands or cloud-related incidents (61% of organizations report such incidents). Adoption is driven by market expectations for demonstrating cloud security within an ISMS.

Does ISO 27017 require an external audit or third-party certification?

ISO 27017 does not support standalone third-party certification or external audits. It is implemented within an ISO 27001 ISMS, with its controls assessed during ISO 27001 audits by accredited certification bodies; auditors verify the 7 CLD controls and 37 extended controls as part of the scope.

How often should an assessment for ISO 27017 be performed?

ISO 27017 assessments occur as part of annual ISO 27001 surveillance audits and triennial re-certification. Controls must be continuously monitored via risk assessments, with formal reviews triggered by significant changes like new cloud services; the standard aligns with ISO 27001's ongoing ISMS evaluation requirements.

What are the consequences of non-compliance with ISO 27017?

Non-compliance with ISO 27017 carries no direct legal penalties, as it is not mandatory. Indirect consequences include increased cloud breach risk (e.g., from misconfigurations), failed procurement RFPs, regulatory scrutiny under data laws, and loss of competitive edge for CSPs lacking verifiable cloud controls.

Can ISO 27017 be mapped to other international frameworks?

Yes, ISO 27017 controls map directly to ISO 27001 Annex A and ISO 27002 for seamless ISMS integration. Its CLD controls and guidance on 37 shared controls align with frameworks like NIST SP 800-53 and CSA STAR II via control matrices, enabling unified compliance evidence for multi-cloud environments.

What is the first step to begin implementing ISO 27017?

Conduct a cloud-specific risk assessment within your ISO 27001 ISMS to identify applicable controls. Define ISMS scope including cloud services, document shared CSP/CSC responsibilities per CLD.6.3.1, and update the Statement of Applicability to include the 7 CLD controls and 37 extended ISO 27002 controls.

What is the primary objective of SAMA CSF?

SAMA CSF's primary objective is to create a common approach for addressing cybersecurity across Member Organizations, achieve appropriate maturity levels of cybersecurity controls, and ensure cybersecurity risks are properly managed. Issued as Version 1.0 in May 2017 by the Saudi Arabian Monetary Authority, it prescribes principles, objectives, and control considerations across four domains—Cyber Security Leadership and Governance, Risk Management and Compliance, Operations and Technology, and Third Party Cyber Security—using a six-level maturity model targeting at least Level 3 (Structured and Formalized).

Who is legally or professionally required to comply with SAMA CSF?

SAMA CSF is mandatory for all SAMA-regulated financial institutions, including banks, insurance and reinsurance companies, financing companies, credit bureaus, and financial market infrastructure providers. All domains apply fully to banks, with tailored exceptions for non-banks (e.g., exclusions for payment systems unless handling cardholder data or SWIFT). Boards, senior management, CISOs, Chief Risk Officers, IT leaders, and third-party risk managers bear direct accountability.

Does SAMA CSF require an external audit or third-party certification?

No, SAMA CSF does not require external audit or third-party certification; compliance is enforced through periodic self-assessments using SAMA-provided questionnaires and direct supervisory review by SAMA. Internal audits must be conducted independently per accepted standards, with evidence of maturity (targeting Level 3+) submitted for SAMA review; waivers for controls require formal SAMA approval.

How often should an assessment for SAMA CSF be performed?

SAMA CSF requires periodic self-assessments using SAMA questionnaires, with annual reviews of critical information assets and more frequent assessments triggered by projects, changes, outsourcing, or new products. Maturity levels must be evaluated regularly to demonstrate progression toward Level 3 (Structured and Formalized), with results documented for SAMA supervisory audits and peer benchmarking.

What are the consequences of non-compliance with SAMA CSF?

Non-compliance with SAMA CSF triggers regulatory enforcement actions, including formal supervisory interventions, remediation demands, elevated scrutiny, audit findings, and potential operational restrictions. As a mandatory framework under SAMA's authority, failures to achieve minimum Maturity Level 3 expose institutions to material risks like financial losses, incident amplification, reputational damage, and broader banking penalties.

Can SAMA CSF be mapped to other international frameworks?

Yes, SAMA CSF aligns conceptually with international frameworks such as NIST CSF, ISO 27001, PCI-DSS, and BASEL, enabling control mappings for integrated compliance. Its principle-based structure and maturity model map to NIST functions (Identify, Protect, Detect, Respond, Recover) and ISO 27001's ISMS, with explicit references to PCI-DSS and SWIFT CSCF for sector-specific controls.

What is the first step to begin implementing SAMA CSF?

The first step to implement SAMA CSF is to secure Board and Senior Management sponsorship, establish a project charter, and conduct a control-level gap analysis against the framework's domains using the maturity model. Appoint program leadership (e.g., CISO oversight), inventory applicable controls, and produce an initial maturity baseline targeting Level 3, documenting gaps in a register for prioritized remediation.

Standards Comparison

ISO 27017 vs SAMA CSF

ISO 27017

Voluntary

2015

International code of practice for cloud security controls

SAMA CSF

Mandatory

2017

Saudi regulatory framework for financial cybersecurity

Quick Verdict

ISO 27017 provides cloud-specific security guidance for global ISMS, while SAMA CSF mandates comprehensive cybersecurity maturity for Saudi financial firms. Organizations adopt ISO 27017 for cloud assurance in ISO 27001 audits; SAMA CSF ensures regulatory compliance and resilience.

Cloud Security

ISO 27017

ISO/IEC 27017:2015 Code of practice for cloud security controls

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Clarifies shared responsibilities between CSPs and customers
Adds seven cloud-specific security controls
Provides guidance for 37 ISO 27002 controls in cloud
Ensures multi-tenant segregation and VM hardening
Mandates secure asset removal and monitoring

Cybersecurity

SAMA CSF

SAMA Cyber Security Framework Version 1.0

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Six-level maturity model with Level 3 baseline
Four core domains covering governance to third-parties
Principle-based controls aligned with NIST/ISO
Board oversight and independent CISO mandate
Mandatory self-assessments and SAMA audits

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

ISO 27017 Details

What It Is

ISO/IEC 27017:2015 is a code of practice extending ISO/IEC 27002 with cloud-specific information security controls. It provides implementation guidance for cloud services, focusing on shared responsibilities between cloud service providers (CSPs) and customers (CSCs) in a risk-based approach within an ISO 27001 ISMS.

Key Components

Guidance on 37 ISO 27002 controls adapted for cloud.
Seven additional CLD controls for multi-tenancy, VM hardening, asset lifecycle, monitoring, and admin operations.
Built on ISO 27001 framework; not standalone certification.
Dual perspective for CSPs and CSCs.

Why Organizations Use It

Addresses cloud risks like isolation and shared duties.
Enhances regulatory compliance (e.g., GDPR via overlaps).
Builds trust in multi-cloud procurement.
Provides competitive edge for CSPs; due diligence for CSCs.
Reduces incidents through mature controls.

Implementation Overview

Integrate into existing ISO 27001 ISMS via risk assessment.
Map controls, update SoA, implement technical measures (e.g., logging, segregation).
Applies to all sizes using cloud (IaaS/PaaS/SaaS); global scope.
Audited as extension in ISO 27001 certification (9-12 months joint).

SAMA CSF Details

What It Is

The Saudi Arabian Monetary Authority Cyber Security Framework (SAMA CSF) Version 1.0 (May 2017) is a mandatory regulatory framework for SAMA-regulated financial institutions in Saudi Arabia. It prescribes governance, controls, and a maturity model to detect, resist, respond, and recover from cyber threats, using a principle-based, risk-oriented approach.

Key Components

Four domains: Cyber Security Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Security
Subdomains with principles, objectives, control considerations (114+ subcontrols)
Six-level Maturity Model (minimum Level 3: Structured/Formalized)
Aligned with NIST CSF, ISO 27001, PCI-DSS
Self-assessment and SAMA audits for compliance

Why Organizations Use It

Mandatory compliance avoids fines, scrutiny
Builds resilience, reduces incidents/downtime
Enables efficiency, partnerships, competitive differentiation
Enhances risk intelligence, stakeholder trust

Implementation Overview

Phased: Initiation/Gap Analysis, Risk Assessment, Design/Roadmap, Deployment, Operate/Monitor, Audit/Improve
Targets SAMA entities (banks, insurers); all sizes
Risk-based, iterative; no certification but regulatory review (179 words)

Key Differences

Aspect	ISO 27017	SAMA CSF
Scope	Cloud-specific security controls for ISMS	Comprehensive cybersecurity for financial sector
Industry	All industries, cloud users/providers globally	Saudi financial institutions only
Nature	Voluntary code of practice, no standalone cert	Mandatory regulatory framework with maturity model
Testing	Integrated into ISO 27001 audits	Periodic self-assessments and SAMA audits
Penalties	Loss of ISO 27001 certification	Fines, license suspension, regulatory action

Scope

ISO 27017

Cloud-specific security controls for ISMS

SAMA CSF

Comprehensive cybersecurity for financial sector

Industry

ISO 27017

All industries, cloud users/providers globally

SAMA CSF

Saudi financial institutions only

Nature

ISO 27017

Voluntary code of practice, no standalone cert

SAMA CSF

Mandatory regulatory framework with maturity model

Testing

ISO 27017

Integrated into ISO 27001 audits

SAMA CSF

Periodic self-assessments and SAMA audits

Penalties

ISO 27017

Loss of ISO 27001 certification

SAMA CSF

Fines, license suspension, regulatory action

Frequently Asked Questions

Common questions about ISO 27017 and SAMA CSF

ISO 27017 FAQ

SAMA CSF FAQ

You Might also be Interested in These Articles...

ISO 27701 Standalone Certification in 2025: Debunking Myths and Navigating the New Reality

Debunk myths on ISO 27701 standalone certification post-2025. Clarify viability, accreditation bodies, ISO 27001 audit differences & procurement benefits. Guide

CMMC Scoping Mastery for Defense Supply Chains: Enclave Mapping, Subcontractor Flow-Down, and CUI Inventory Blueprint

Master CMMC scoping for DIB: delineate FCI/CUI boundaries, segment enclaves, manage subcontractor flow-down. Prevent 80% assessment failures with SSP templates,

SOC 2 Audit Survival Guide: Auditor Questions, Red Flags, and Evidence Prep for First-Time Pass

Ace your SOC 2 audit with predicted auditor questions, model answers, red flags, and evidence checklists from CPA best practices & SignWell's journey. Reduce st

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how ISO 27017 and SAMA CSF compare against other standards

Other ISO 27017 Comparisons

Other SAMA CSF Comparisons

What It Is

Key Components

Four domains: Cyber Security Leadership & Governance, Risk Management & Compliance, Operations & Technology, Third-Party Security

Subdomains with principles, objectives, control considerations (114+ subcontrols)

Six-level Maturity Model (minimum Level 3: Structured/Formalized)

Aligned with NIST CSF, ISO 27001, PCI-DSS

Self-assessment and SAMA audits for compliance

Aspect

ISO 27017

SAMA CSF

Scope

Cloud-specific security controls for ISMS

Comprehensive cybersecurity for financial sector

Industry

All industries, cloud users/providers globally

Saudi financial institutions only

Nature

Voluntary code of practice, no standalone cert

Mandatory regulatory framework with maturity model

Testing

Integrated into ISO 27001 audits

Periodic self-assessments and SAMA audits

Penalties

Loss of ISO 27001 certification

Fines, license suspension, regulatory action