Demonstrate information security in cloud services

ISO/IEC 27017 is an internationally recognized standard designed for all cloud service providers. It supports the implementation of cloud-specific information security measures. The standard is coordinated with the implementation recommendations from ISO/IEC 27002 so that it seamlessly fits an IT security management system according to ISO/IEC 27001.

Information security guidance for cloud computing

Building cloud-specific information security controls

Identification of security aspects

Proof of secure data transmission

Beschreibung Standard/Regelwerk

ISO 27017 standard breakdown

The requirements of ISO 27017 are specifically designed for cloud service providers. For each area of the overarching ISO 27001 information security standard, potential cloud security specifics are outlined. This methodology allows you to rapidly identify and integrate these requirements into your security management system.

The prerequisite for ISO 27017 is the widely recognized ISO 27001 standard. ISO 27017 takes the fundamentals of the ISO 27001 standard and adds additional security features related to cloud computing.

The current standard was reviewed and confirmed by ISO in 2021.

ISO/IEC 27017:2015 - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services

From the contents:

1 Scope

2 Normative references

3 Terms and abbreviations

4 Concepts specific to the cloud sector

5 Information security guidelines

6 Organization of information security

7 Personnel security

8 Asset management

9 Access control

10 Cryptography

11 Physical and environmental security

12 Operational security

13 Communication security

14 Acquisition, development, and maintenance of systems

15 Supplier relationships

16 Information security incident handling

17 Information security aspects of business continuity management

18 Compliance

Appendix A Expansion set of measures for cloud services.

Annex B References to information security risk in the context of cloud computing

ISO/IEC 27017 is available from the ISO website.

Show more
Show less

How can the ISO 27017 certification be useful to my company in the US?

ISO 27017 emphasizes the importance of communication between companies of all sizes and industry and their customers to develop appropriate security management processes. In addition, ISO 27017 specifies the relationship between cloud service customers and their service providers. It describes in detail what customers can expect from their provider and what providers should have ready for customers. Thus, ISO 27017 concerns not only the cloud service providers themselves, but the security of the cloud as a whole.

If the requirements of the standard are met, providers and customers can assume that all important points relating to information security are also considered for the respective service.

Show more
Show less

What are the benefits of the ISO 27017 guideline?

The standard for the security of cloud services can help cloud providers identify important security aspects to choose a suitable partner in North America as well as internationally. IT decision-makers often want more flexibility and to be able to select the optimal cloud provider for each use case. As a result, the provision of IT services is evolving from a chain to a network where the commercial and technical relationships multiply and turn leads to a whole new level of complexity.

ISO 27017:2015 standardizes the relationships between cloud customers and cloud service providers through an analysis grid and the targeted exchange of information, making it easier to manage the business relationship.

Show more
Show less
Wer darf zertifizieren

Who is allowed to certify to ISO 27017?

To certify an information security management system, the respective certification body itself must be accredited to ISO/IEC 17021 and ISO/IEC 27006. DQS Inc. is accredited, making us authorized to perform audits and certifications according to both ISO/IEC 27001 and ISO/IEC 27017.


What are the steps to get an ISO 27017 certification?

Your company will be certified on the basis of the international standard ISO/IEC 27001 for an information security management system in implementation of ISO/IEC 27017:2015. Once all standard requirements have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS Inc.

In the first step, we will discuss your company, current information security, and the goals of ISO 27017 certification. Based on these discussions, you will receive an individual quote customized to your company's needs.

Especially for larger certification projects, a planning meeting is a valuable opportunity to get to know your auditor as well as to develop an individual audit program for all involved areas and locations. A gap assessment also offers the opportunity to identify potential for improvement as well as strengths of your management system in advance. Both services are optional.

The certification audit starts with the stage 1 audit, a system analysis and the evaluation of your documentation, the objectives, the results of your management assessment, the review of the scope, and the internal audits. In this process, we determine whether your management system is sufficiently developed and ready for certification.

In the stage 2 system audit, your on-site auditor assesses the effectiveness of all management processes and whether you meet all the requirements of the standard. The results are presented at a final meeting and, if necessary, action plans are agreed upon.

After the certification audit, the results are evaluated by the independent certification body of DQS Inc. You will receive an audit report documenting the audit results. If all standard requirements are met, you will receive a corresponding certificate of conformity. The validity period of the certificate of conformity is directly linked to the validity of the underlying ISO 27001 certificate.

To ensure that your company continues to meet all important requirements after the audit, DQS Inc. will conduct surveillance audits on an annual basis. This way, the continuous improvement of your information security management system and your business processes is competently accompanied.

The certificate of conformity is valid for a maximum of three years. Recertification is carried out by DQS Inc. before expiration to ensure ongoing compliance with the applicable standard requirements of the IT security catalog. Upon compliance, a new certificate of conformity is issued.


What does ISO 27017 certification cost?

Since every company has unique prerequisites and requirements for a management system, the costs for the audit and certification to ISO 27017 based on ISO 27001 cannot be given as a lump sum. We are happy to make you a customized quote based on an objective assessment and your requirements.


What you can expect from DQS Inc.

  • Over 35 years of experience in the certification of management systems and processes
  • Industry-experienced auditors and experts with strong domain knowledge
  • Value-adding insights into your company
  • Certificates with international acceptance
  • Expertise and accreditations for all relevant standards
  • Personal, seamless support from our U.S. based specialists along with international support
  • Individual offers with flexible contract terms and no hidden costs
Show more
Show less

Request a quote

Your local contact

We would be happy to provide you with a custom quote for ISO 27017.