Proof of information security in cloud services
Information security guidance for cloud computing
Building cloud-specific information security controls
Identification of security aspects
Proof of secure data transmission
Information on the ISO 27017 standard
ISO 27017 is based on the well-known ISO 27001 standard for information security management systems and adds security aspects for cloud computing. Therefore, certification to ISO 27001 is also a prerequisite for an extension to ISO 27017.
The current standard was reviewed and confirmed by ISO in 2021.
ISO/IEC 27017:2015 - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services
From the contents:
2 Normative references
3 Terms and abbreviations
4 Concepts specific to the cloud sector
5 Information security guidelines
6 Organization of information security
7 Personnel security
8 Asset management
9 Access control
11 Physical and environmental security
12 Operational security
13 Communication security
14 Acquisition, development and maintenance of systems
15 Supplier relationships
16 Information security incident handling
17 Information security aspects of business continuity management
Appendix A Expansion set of measures for cloud services.
Annex B References to information security risk in the context of cloud computing
ISO/IEC 27017 is available from the ISO website.
Why is certification to ISO 27017 useful?
If the requirements of the standard are met, providers and customers can assume that all important points relating to information security are also taken into account for the respective service.
What are the benefits of the ISO 27017 guideline?
ISO 27017:2015 standardizes the relationships between cloud customers and cloud service providers through an analysis grid and the targeted exchange of information, making it easier to manage the business relationship.
Who is allowed to certify to ISO 27017?
How does an ISO 27017 certification proceed?
Your company will be certified on the basis of the international standard ISO/IEC 27001 for an information security management system in implementation of ISO/IEC 27017:2015. Once all standard requirements have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS.
In the first step, you will discuss your company, your current information security and the goals of ISO 27017 certification with us. Based on these discussions, you will receive an individual offer tailored to your company's needs.
Especially for larger certification projects, a planning meeting is a valuable opportunity to get to know your auditor as well as to develop an individual audit program for all involved areas and locations. A gap assessment also offers the opportunity to identify potential for improvement as well as strengths of your management system in advance. Both services are optional.
The certification audit starts with a system analysis (stage 1 audit) and the evaluation of your documentation, the objectives, the results of your management assessment, the review of the scope and the internal audits. In this process, we determine whether your management system is sufficiently developed and ready for certification.
In the next step (stage 2 system audit), your on-site auditor assesses the effectiveness of all management processes and whether you meet all the requirements of the. The results are presented at a final meeting and, if necessary, plans for concrete measures are agreed.
After the certification audit, the results are evaluated by the independent certification body of DQS. You will receive an audit report documenting the audit results. If all standard requirements are met, you will receive a corresponding certificate of conformity. The validity period of the certificate of conformity is directly linked to the validity of the underlying ISO 27001 certificate.
To ensure that your company continues to meet all important requirements after the audit, we conduct surveillance audits on an annual basis. In this way, the continuous improvement of your information security management system and your business processes is competently accompanied.
The certificate of conformity is valid for a maximum of three years. Recertification is carried out before expiration to ensure ongoing compliance with the applicable standard requirements of the IT security catalog. Upon compliance, a new certificate of conformity is issued.
What does ISO 27017 certification cost?
What you can expect from us
- Expertise and accreditations for all relevant standards
- Personal, smooth support from our specialists - regionally, nationally and internationally
- Individual offers with flexible contract terms and no hidden costs