Skip to main content

ISO 27017 compliance

Disclaimer: Semgrep provides security tooling that can support compliance efforts, but does not guarantee compliance. Organizations remain responsible for meeting all compliance requirements. Consult with your compliance team and auditors to determine how Semgrep fits into your compliance program.

Last updated: November 2025

ISO 27017 extends ISO 27001 with cloud-specific security guidance for protecting customer data in cloud environments. This standard applies to cloud service providers and cloud customers.

Semgrep may help address ISO 27017 cloud security guidance:

  • Cloud service development: Continuous vulnerability scanning and policy enforcement can help demonstrate security controls in development processes. When properly configured with CI/CD systems, Semgrep can enforce secure coding practices at the pull request level. For details around proper configuration please chat with the Semgrep team.

  • Vulnerability management: Automated detection and tracking of security issues in code that runs in cloud environments. Audit logs document security scanning activity, findings, and remediation with timestamps.

  • Logging and monitoring: Audit logs provide documented evidence of continuous security monitoring across your cloud application codebase.

  • Supply chain security: SBOM generation provides inventory of third-party components and dependencies deployed in cloud services, giving visibility into supply chain risk.

  • Change management: Jira integration documents how security issues are tracked and remediated through your change management process with timestamps, assignments, and resolution status. Policy enforcement can help prevent vulnerable code from reaching cloud production environments.

Deployment and certification

ISO 27017 applies to cloud service providers and customers. If you provide cloud services to customers, your deployment of Semgrep should align with your cloud security architecture.

Semgrep Inc. is ISO 27001 certified. For CLI deployments, scans run on customer infrastructure. For on-premises CI/CD, scans run on customer-controlled infrastructure. Cloud CI/CD providers (GitHub, GitLab, Azure DevOps, Bitbucket) maintain ISO 27017 certification or equivalent cloud security controls. For AI Assistant, the default provider (OpenAI) operates in ISO 27017-compliant infrastructure. For Semgrep Managed Scans, AWS infrastructure maintains ISO 27017 certification for cloud security controls.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.