ISO/IEC 27017:2015 Compliance



ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. This code of practice provides additional information security controls implementation guidance specific to cloud service providers.

  • What does ISO/IEC 27017:2015 mean to you as a customer?

    AWS' attestation to the ISO/IEC 27017:2015 guidance not only demonstrates our ongoing commitment to align with globally-recognized best practices, but also verifies that AWS has a system of highly precise controls in place that are specific to cloud services.

  • Who is the third-party assessor?

    EY CertifyPoint, an ISO certifying agent accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF). Certificates issued by EY CertifyPoint are recognized as valid certificates in all countries with an IAF member.

  • Can my organization align with ISO/IEC 27017:2015?

    AWS’ ISO/IEC 27017:2015 certification covers the security management process and cloud provider specific controls. If you are pursuing ISO/IEC certifications while operating part or all of your IT in the AWS cloud, you are not automatically certified by association. The AWS ISO/IEC 27017:2015 assessment provides evidence that our security controls are aligned with the 27017:2015 guidance specific to cloud service providers.

  • Can you provide a copy of the ISO/IEC 27017:2015 code of practice?

    ISO/IEC 27017:2015 along with many other economic, environmental and social standards are available on the ISO website. ISO/IEC has made the decision to copyright these standards in an effort to help fund the processes leading to development.

  • What AWS services are in scope for ISO/IEC 27017:2015?

    The covered AWS services that are already in scope for ISO/IEC 27017:2015 can be found within AWS Services in Scope by Compliance Program. If you would like to learn more about using these services and/or have interest in other services please contact us.

  • What AWS data centers are in scope for the ISO/IEC 27017:2015 assessment?

    US East (Northern Virginia), US East (Ohio), US West (Oregon), US West (Northern California), AWS GovCloud (US), Canada (Central), Europe (Ireland), Europe (Frankfurt), Europe (London), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Mumbai), and South America (São Paulo) Regions, as well as the AWS Edge Locations in:

    Melbourne, Australia

    Sydney, Australia

    Rio de Janeiro, Brazil

    São Paulo, Brazil

    Montréal, Canada

    Toronto, Canada

    Hong Kong, China

    London, England

    Marseille, France

    Paris, France

    Frankfurt, Germany

    Chennai, India

    Mumbai, India

    New Delhi, India

    Dublin, Ireland

    Milan, Italy

    Osaka, Japan

    Tokyo, Japan

    Seoul, Korea

    Amsterdam, Netherlands

    Manila, Philippines

    Warsaw, Poland


    Madrid, Spain

    Stockholm, Sweden

    Taipei, Taiwan

    California, United States

    Florida, United States

    Georgia, United States

    Illinois, United States

    Indiana, United States

    Missouri, United States

    Nevada, United States

    New Jersey, United States

    New York, United States

    Oregon, United States

    Texas, United States

    Virginia, United States

    Washington, United States

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »