At QSCert Middle East, we understand the importance of data security in the cloud. That’s why we offer certification services for ISO/IEC 27017, a security standard developed specifically for cloud service providers and users to create a safer cloud-based environment and reduce the risk of security problems1.
ISO/IEC 27017 is an international standard that provides guidelines for information security controls applicable to the provision and use of cloud services. It is based on ISO/IEC 27002 and covers additional controls and implementation guidance for both cloud service providers and customers.
ISO/IEC 27017 certification demonstrates your commitment to cloud security. It provides additional implementation guidance for 37 controls specified in ISO/IEC 27002 and 7 additional controls related to cloud services1. These controls address key aspects such as:
experts will guide you through the process, ensuring that your organization meets the standard’s requirements and helps you demonstrate your commitment to cloud security.
Contact us today to learn more about our ISO/IEC 27017 certification services and how we can help secure your cloud services.
Achieving ISO/IEC 27017 certification involves a rigorous process that ensures your organization’s compliance with the standard’s requirements. Here’s a general overview of the process:
We start by conducting a gap analysis to identify the areas where your organization currently meets the standard’s requirements and where improvements are needed.
The results of the internal audit are then reviewed by management. This review is crucial for continual improvement and ensuring the system’s ongoing effectiveness.
Once the controls and processes are in place, an internal audit is conducted to ensure they are effective and meet the standard’s requirements.
Next, we’ll help you implement the necessary controls and processes to meet the standard’s requirements. This includes setting up systems for responsibility allocation, asset return, virtual environment protection, and more.
Finally, a certification audit is conducted. This is a two-stage process: the Stage 1 audit checks the readiness of your organization for the Stage 2 audit, which is a more detailed evaluation of your organization’s compliance with ISO/IEC 27017.
Upon successful completion of the certification audit, your organization will be awarded the ISO/IEC 27017 certification. This certification is valid for three years, during which surveillance audits will be conducted to ensure ongoing compliance.
Remember, achieving and maintaining ISO/IEC 27017 certification is not a one-time event but a continuous process of improvement. At QSCert Middle East, we’re here to guide you through every step of this process. Contact us today to get started on your journey to cloud security excellence.
Cloud services emerged in the mid-2000s and have continued to develop to become a mainstream technology option for most organizations. However, cloud is not just a minor technology change, it is both a strategic opportunity and a strategic challenge for organizations. The range of cloud services continues to grow, and security continues to be a key factor and enabler for cloud use. The evolution of security for cloud has resulted in cloud service providers being at the forefront of security and cloud customers have a high understanding and expectations of robust cloud security.
As part of the International Standardization Organisation ISO’s family of Information Security Standards known as ISO 27000 a key standard is ISO 27017: associated with the Code of Practice for Information Security Controls is based on ISO/IEC 27002 for Cloud Services is specifically designed to be applied to cloud environments from the perspectives of both the provider and the consumer / customer. The standard provides additional cloud-focused implementation guidance for relevant controls.
ISO/IEC 27017 is like a guide for companies using or thinking about using cloud services. Cloud companies follow this rulebook to keep their customers and others safe online. It’s all about keeping information secure.
ISO 27017 is part of a family of rules called ISO/IEC 27000. These rules help manage online security smartly. It’s like building on a set of rules called ISO/IEC 27002. ISO 27017 adds more rules, especially for cloud security.
ISO 27017 helps both those using cloud services and the ones providing them. It’s all about keeping things safe online, whether using a computer or a cloud service.
ISO 27017 makes sure to cover all the critical safety steps. It checks risks online and then makes sure cloud security is super safe. It’s like adding extra locks to keep everything safe online.
ISO/IEC 27017:2015 is an information security code of practise for cloud services. It’s an extension to ISO/IEC 27001:2013 and ISO/IEC 27002, and it provides additional security controls for cloud service providers and for cloud service customers. An organisation implementing the standard would select the relevant controls for their circumstances.
The standard provides cloud-based guidance on 37 of the controls in ISO/IEC 27002, as well providing 7 additional controls:
ISO/IEC 27017 is a compliance framework that offers guidelines for both cloud service providers and customers aimed at safeguarding physical networks and virtual cloud infrastructure. The international standard guides organizations on two fronts—the implementation of Information Security Management Systems (ISMS) controls provisioned within ISO 27002 as well as detailing controls that are unique and specific to cloud environments. Presently, ISO 27017 has only one edition, published in 2015. A second edition is in progress, slated to be published in 2025.
ISO/IEC 27017, as a framework allows organizations to adopt a methodical and consistent approach to customer security by focusing thoroughly on cloud and data security. It applies specifically to cloud service providers and cloud service customers. ISO 27017 is comprehensive in the way it specifies what customers can expect from their cloud service providers as well as the responsibilities and obligations customers have to create and maintain a secure cloud environment.
ISO 27017 applies to cloud service providers who have an Information Security Management System in place as per the specifications laid out in ISO 27001. The framework evaluates the effective implementation of 37 controls unders ISO/IEC 27002 which is the organization can choose based on risk assessment.
An ISO 27017 certification is an essential badge for companies looking to stand out from the competition and assure customers of a consistent and sustainable commitment to cloud security. But getting ISO 27017 certified can be a bit different from other frameworks.
Unlike other frameworks, ISO 27017 is not a management standard, and companies cannot obtain an independent ISO 27017 certification. However, companies can include the controls specified within ISO 27017 while getting audited for ISO 27001.
Setting this difference aside, here’s a list of steps that companies need to follow to get ISO 27017 certified.
Conduct a thorough study of your current cloud security policies. An honest assessment of applicable cloud and security controls can help companies determine where their measures are falling short and what needs to be addressed.
At this point, it’s important to note, in detail, all the risks that could affect the confidentiality, integrity, availability and ownership of assets and system and determine the impact and likelihood of these risks. Thorough risk management also helps the company determine the controls within ISO/IEC 27002 that fall within the scope of the exercise.
As mentioned earlier, the ISO 27017 certification happens in tandem with ISO 27001. Therefore, its important to conduct a thorough internal audit that assesses both ISMS implementation as well as controls relevant to cloud services. An effective internal audit undergoes three stages of review—documentation, field review (which generates an internal audit assessment report), as well as a management review. The findings from the assessment report need to be implemented and tested before considering a formal external audit.
Implement of controls and security guidelines outlined in the ISO 27017 framework. This is an ongoing effort that takes a significant bulk of time. ISO 27001 and ISO 27002 are typically deployed together, there may be a number of controls that are already implemented. The unique controls, however, need to be rolled out from scratch.
Once controls are implemented, it’s important to educate your employees of effective management. Ensure your internal teams receive sufficient awareness and role-oriented training and updates so they can carry out their duties efficiently. Areas such as data handling, incident reporting, etc. need to be given special attention since they can impact both certifications.
Responsibilities are a crucial part of getting ISO 27017 certified. Create a team of security and control specialists that can help you choose the right ISO 27002 controls that are relevant to your organization and carry out the unique control requirements. Clearly define a timeline and an action plan for implementation.
ISO 27017, like any security framework is heavy on documentation. Create SOPs and take special care to document your business processes and controls along the way. These will not only function as evidence but also as guidelines for repeat certifications.
The first course of action is to notify the auditor of the scope of assessment to include the criteria of ISO/IEC 27017 in addition to ISO 27001. The external certification audit typically happens in two stages. The first stage entails auditing evidence of implementation and sufficiency. The auditor will also thoroughly review documentation of processes, SOPs, and practicies in place as well as the systems that fall within the scope of the ISMS. The auditor then presents an assessment report of the findings which the company is required to act on.
The second phase of the audit takes place within six months of phase one. The auditor evaluates the ISMS on a sample basis to determine if the company’s ISMS is operating within ISO standards. The audit will finally assess the corrective and preventive actions the company has taken mentioned in phase one. They then present a list of observations that highlights major and minor non-conformities as well as opportunities for improvement. Major conformities will have to be addressed and the evidence will need to be shared with the auditor.
Compliance is not a one-time thing. Companies are expected to be monitoring their ISMS, conduct regular surveillance audits, and keep their systems updated regularly.
Standardized cloud security
ISO 27017 is a well-thought-out framework focused on reducing cloud-related risks and ensuring a standardized implementation of cloud-based security measures.
Complements ISMS implementation: ISO 27017 is deployed in tandem with other frameworks within the series. So implementing ISO 27017 ensures that the cloud element of operations complements the organization’s ISMS.
Brings together service providers and customers: ISO 27017 is explicit in the way it defines security roles and responsibilities for customers as well as service providers to ensure a high standard of protection.
Sustained approach to strategy: Implementing ISO 27017 ensures a long-term approach to data security strategy. The standards help organizations stand out from the competition and enable sustained development.
Reduced reputational risk: Companies that are ISO 27017 certified are able to greatly mitigate the risk related to data breaches. They are also able to enable better transparency of their cloud operations and build customer trust and strong business relationships.
ISO 27017 can be integrated with several other standards and frameworks to improve information security in general and cloud security in particular for organizations. Some of the standards ISO 27017 can be integrated with are: ISO/IEC 27001 ISO/IEC 27002 Cloud Security Alliance (CSA) National Institute of Standards and Technology (NIST) General Data Protection Regulation (GDPR)
Enterprises with high levels of non-compliance saw the average cost of a data breach increase 12.6% to $5.05 million in 2023. $4.57 million. Average cost of a data breach involving data stored in public cloud. A recent study by Gartner states that the total end-user spending on public cloud services was estimated to reach $591.8 billion by the end of 2023—a 20.7% surge over the last year.