What is ISO 27017 Certification?
ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. Within the ISO 27000 family of standards, ISO 27017 is a code of practice outlining additional information security controls, specifically for cloud service providers and their customers. ISO 27017 standard provides cloud-based guidance on 37 of the controls in ISO 27002 but also features seven new cloud controls that address shared roles and responsibilities, the monitoring of cloud services activity, alignment of the security management of the virtual and cloud network environment and more.
Benefits of ISO 27017 Certification
Reduces operational risk
Win market trust
Define and clarify responsibilities
Increase information security risks
Who can be certified ISO 27017 Certification?
Any organisation which provides cloud-based services can benefit from ISO/IEC 27017 certification – from online email providers and document management platforms to cloud-based apps and tools.
IT & IT Enabled Companies
Research and Development
Banking & Financial Institute
Design Services
Organization with Sensitive Data
Government Agencies
Telecoms
Document required for ISO 27017 Certification
- System Manual
- System Procedure
- Policy
- Objectives
- Mission & Vision
- Standard Operating Procedure (SOP)
- Checklist
- Forms
- Formats
- Records
The extent of Documented Information differs as per:
- Organization’s size
- Activities performed by the organization
- Processes undertaken by the Organization
- Products and services offered by the organization
- The complexity of processes undertaken
- Competence of persons involved
Role of Shamkris and Process of ISO 27017 Certification
Shamkris adopts a results-oriented approach to effective system implementation in the organization. A simple and practical method of system implementation helps organizations increase business efficiency and sustainability. Shamkris supports 100% documentation to obtain an accreditation body of success in addition to enhanced performance.
The implementation process is described below:
Day 1
GAP Analysis, Certification Body, Selection, Cost Estimates
• Finding the GAP between existing system related to ISO 27017 requirements
• Selecting the appropriate certification Body
• Based on the scope of your business & certification Body you choose
Week 1
Developing Documents
• Management System Manual, Management System Procedures, Policy, Objectives, Forms etc.
• Review of Standard Operating Procedures (SOP)
Week 4
Implementing Management System
• ISO 27017 Awareness training for the top management and staff
• Implementing a well-documented management system throughout the organization
Week 8
Internal Audit
MRM
CAPA
• Internal audits identifying nonconformities related to ISO 27017 requirements
• Management Review Meetings
• Corrective and Preventive Action plan for nonconformities
Week 10
Certification Body
Audit
N-C Closing
• Shamkris acts on your behalf and assists you in the third-party audit
• Closing of any nonconformities identified by the certification body
Week 12
Certification Body
• ISO 27017 certificates issued for 1 years
Year on Year
Yearly Compliance
• Support of Yearly documentation for audit
ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards.
ISO 27017 certification demonstrates cloud service security to users, while ISO 27018 certification ensures that personal data is processed securely.
ISO/IEC 27017 applies to organisations that provide services within the Cloud computing environment and have an ISMS (information security management system) in place. As part of the ISMS, organisations can choose which controls from ISO/IEC 27002 they wish to implement based on their own risk assessment.
To summarise, ISO 27017 is a security standard that builds on ISO 27001. It includes additional security controls specifically for cloud service providers.