Reference to controls defined by ISO 27017 and ISO 27018 in each document can be found in section 2 Reference documents, and in comments related to ISO 27017 and ISO 27018 texts that can be customized by the customers (e.g., which are the responsibilities for PII controllers).
Included in the toolkit there is a List of documents file that shows which clauses from these standards are covered by each template.
Please note that, for certification purposes, such a degree of granularity in identifying information related to these standards is not required (this is not required even for ISO 27001).
For further information, see:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/