Applicability of ISO 27017/27018

Answer: No. Both standards also cover practices that should be adopted by the cloud service customer (e.g., defining security requirements, assessing provider's capability, etc.). Where a control covers both, provider and customer, the standards present them explicitly informing the proper practice to be considered for each other.

2 - If I use the cloud service, the security part is done by the cloud vendor right?

Answer: Depending upon the cloud service contracted, the security responsibilities between providers and customers may vary. You should check your service agreement or contract to verify which are the responsibilities for each part.

These articles will provide you further explanation about ISO 27017 and ISO 27018
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
- ISO 27001 vs. ISO 27018 – Standard for protecting p rivacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
- Resolving cloud security concerns by defining clear responsibilities according to ISO 27017 https://advisera.com/27001academy/blog/2016/08/23/resolving-cloud-security-concerns-by-defining-clear-responsibilities-according-to-iso-27017/