What are ISO/IEC 27017 and 27018?
ISO/IEC 27017 and ISO/IEC 27018 are both codes of practice — control guidance, not certifiable standards in their own right. Each one takes the well-known control set described in ISO/IEC 27002 and extends it to the realities of cloud computing, where the line between who runs a control and who relies on it is no longer obvious.
ISO/IEC 27017 covers cloud security: how the generic ISO/IEC 27002 controls should be implemented when the service in question runs in the cloud, plus a small number of controls that only exist in a cloud context. ISO/IEC 27018 covers privacy in the cloud specifically: how a provider running a public cloud should protect the personally identifiable information (PII) its customers entrust to it.
The crucial thing to understand up front is that you do not certify against 27017 or 27018 by themselves. They are implemented and assessed as an extension to an ISO/IEC 27001 certification — you pull their controls into your management system and an accredited certification body checks them alongside the rest of your ISMS. If you already think in terms of ISO 27001, treat these two as additions to that scope, not separate projects.
Code of practice vs certifiable standard
ISO/IEC 27001 is the standard you certify against — it sets the requirements for the management system. ISO/IEC 27002, 27017 and 27018 are codes of practice: they describe how to implement controls, but you do not hold a certificate "in 27002" or "in 27017". When a customer asks for ISO 27017 or 27018, what they are really asking is whether those controls are inside your ISO 27001 scope and were assessed with it.