Proof of information security in cloud services

ISO/IEC 27017 is an internationally recognized standard for securing cloud services and is aimed at all cloud service providers. It thus supports the implementation of cloud-specific information security measures. The standard is coordinated with the implementation recommendations from ISO/IEC 27002 and thus fits seamlessly into an IT security management system according to ISO/IEC 27001.

Information security guidance for cloud computing

Building cloud-specific information security controls

Identification of security aspects

Proof of secure data transmission

Beschreibung Standard/Regelwerk

Information on the ISO 27017 standard

The requirements of ISO 27017 are specifically tailored for cloud service providers. For each area of the overarching ISO 27001 information security standard, potential cloud security specifics are outlined. This methodology allows you to more quickly identify and integrate these security requirements into your security management system.

ISO 27017 is based on the well-known ISO 27001 standard for information security management systems and adds security aspects for cloud computing. Therefore, certification to ISO 27001 is also a prerequisite for an extension to ISO 27017.

The current standard was reviewed and confirmed by ISO in 2021. 

ISO/IEC 27017:2015 - Information technology - Security techniques - Code of practice for information security controls based on ISO/IEC 27002 for cloud services

From the contents:

1 Scope

2 Normative references

3 Terms and abbreviations

4 Concepts specific to the cloud sector

5 Information security guidelines

6 Organization of information security

7 Personnel security

8 Asset management

9 Access control

10 Cryptography

11 Physical and environmental security

12 Operational security

13 Communication security

14 Acquisition, development and maintenance of systems

15 Supplier relationships

16 Information security incident handling

17 Information security aspects of business continuity management

18 Compliance

Appendix A Expansion set of measures for cloud services.

Annex B References to information security risk in the context of cloud computing

ISO/IEC 27017 is available from the ISO website.


Why is certification to ISO 27017 useful?

ISO 27017 emphasizes the importance of communication between companies of any kind and their customers to develop appropriate security management processes. In addition, ISO 27017 specifies the relationship between cloud service customers and cloud service providers. It describes in detail what customers can expect from their provider and what information providers themselves should have ready for customers. Thus, ISO 27017 concerns not only the cloud service providers themselves, but the security of the cloud as a whole.

If the requirements of the standard are met, providers and customers can assume that all important points relating to information security are also taken into account for the respective service.


What are the benefits of the ISO 27017 guideline?

The international standard for the security of cloud services can help cloud providers identify important security aspects in order to choose a suitable partner. IT decision-makers often want more flexibility and to be able to select the optimal cloud provider for each use case. As a result, the provision of IT services is evolving from a chain to a network. The commercial and technical relationships multiply and this in turn leads to a whole new level of complexity.

ISO 27017:2015 standardizes the relationships between cloud customers and cloud service providers through an analysis grid and the targeted exchange of information, making it easier to manage the business relationship.

Wer darf zertifizieren

Who is allowed to certify to ISO 27017?

In order to certify an information security management system, the respective certification body itself must be accredited to ISO/IEC 17021 and ISO/IEC 27006. DQS is accredited by the Deutsche Akkreditierungsstelle GmbH (DAkkS) and others, and is therefore authorized to perform audits and certifications according to both ISO/IEC 27001 and ISO/IEC 27017.


How does an ISO 27017 certification proceed?

Your company will be certified on the basis of the international standard ISO/IEC 27001 for an information security management system in implementation of ISO/IEC 27017:2015. Once all standard requirements have been implemented, you can have your management system certified. You will go through a multi-stage certification process at DQS.

In the first step, you will discuss your company, your current information security and the goals of ISO 27017 certification with us. Based on these discussions, you will receive an individual offer tailored to your company's needs.

Especially for larger certification projects, a planning meeting is a valuable opportunity to get to know your auditor as well as to develop an individual audit program for all involved areas and locations. A pre-audit also offers the opportunity to identify potential for improvement as well as strengths of your management system in advance. Both services are optional.

The certification audit starts with a system analysis (audit stage 1) and the evaluation of your documentation, the objectives, the results of your management assessment, the review of the scope and the internal audits. In this process, we determine whether your management system is sufficiently developed and ready for certification.

In the next step (system audit stage 2), your on-site auditor assesses the effectiveness of all management processes and whether you meet all the requirements of the. The results are presented at a final meeting and, if necessary, plans for concrete measures are agreed.

After the certification audit, the results are evaluated by the independent certification body of DQS. You will receive an audit report documenting the audit results. If all standard requirements are met, you will receive a corresponding certificate of conformity. The validity period of the certificate of conformity is directly linked to the validity of the underlying ISO 27001 certificate.

To ensure that your company continues to meet all important requirements after the audit, we conduct surveillance audits on an annual basis. In this way, the continuous improvement of your information security management system and your business processes is competently accompanied.

The certificate of conformity is valid for a maximum of three years. Recertification is carried out in good time before expiry to ensure ongoing compliance with the applicable standard requirements of the IT security catalog. Upon compliance, a new certificate of conformity is issued.


What does ISO 27017 certification cost?

Since every company has different prerequisites and individual requirements for a management system, the costs for the audit and certification to ISO 27017 based on ISO 27001 cannot be given as a lump sum. Please contact us: We will be happy to make you a customized offer based on an objective assessment and your requirements.


What you can expect from us

  • More than 35 years of experience in the certification of management systems and processes
  • Industry-experienced auditors and experts with strong domain knowledge
  • Value-adding insights into your company
  • Certificates with international acceptance
  • Expertise and accreditations for all relevant standards
  • Personal, smooth support from our specialists - regionally, nationally and internationally
  • Individual offers with flexible contract terms and no hidden costs

Request a quote

Your local contact

We would be happy to provide you with a customized offer for ISO 27017 certification.