What is ISO 27017 Certification?

ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards. Within the ISO 27000 family of standards, ISO 27017 is a code of practice outlining additional information security controls, specifically for cloud service providers and their customers. ISO 27017 standard provides cloud-based guidance on 37 of the controls in ISO 27002 but also features seven new cloud controls that address shared roles and responsibilities, the monitoring of cloud services activity, alignment of the security management of the virtual and cloud network environment and more.

Benefits of ISO 27017 Certification

Reduces operational risk

Win market trust

Define and clarify responsibilities

Increase information security risks

Who can be certified ISO 27017 Certification?

Any organisation which provides cloud-based services can benefit from ISO/IEC 27017 certification – from online email providers and document management platforms to cloud-based apps and tools.

IT & IT Enabled Companies

Research and Development

Banking & Financial Institute

Design Services

Organization with Sensitive Data

Government Agencies

Telecoms

Document required for ISO 27017 Certification

  • System Manual
  • System Procedure
  • Policy
  • Objectives
  • Mission & Vision
  • Standard Operating Procedure (SOP)
  • Checklist
  • Forms
  • Formats
  • Records

The extent of Documented Information differs as per:

  • Organization’s size
  • Activities performed by the organization
  • Processes undertaken by the Organization
  • Products and services offered by the organization
  • The complexity of processes undertaken
  • Competence of persons involved

Role of Shamkris and Process of ISO 27017 Certification

Shamkris adopts a results-oriented approach to effective system implementation in the organization. A simple and practical method of system implementation helps organizations increase business efficiency and sustainability. Shamkris supports 100% documentation to obtain an accreditation body of success in addition to enhanced performance.

The implementation process is described below:

Day 1

GAP Analysis, Certification Body, Selection, Cost Estimates

• Finding the GAP between existing system related to ISO 27017 requirements
• Selecting the appropriate certification Body
• Based on the scope of your business & certification Body you choose

Week 1

Developing Documents

• Management System Manual, Management System Procedures, Policy, Objectives, Forms etc.
• Review of Standard Operating Procedures (SOP)

Week 4

Implementing Management System

• ISO 27017 Awareness training for the top management and staff
• Implementing a well-documented management system throughout the organization

Week 8

Internal Audit
MRM
CAPA

• Internal audits identifying nonconformities related to ISO 27017 requirements
• Management Review Meetings
• Corrective and Preventive Action plan for nonconformities

Week 10

Certification Body
Audit
N-C Closing

• Shamkris acts on your behalf and assists you in the third-party audit
• Closing of any nonconformities identified by the certification body

Week 12

Certification Body

• ISO 27017 certificates issued for 1 years

Year on Year

Yearly Compliance

• Support of Yearly documentation for audit

FAQ

ISO/IEC 27017:2015 provides guidance on the information security aspects of cloud computing, recommending the implementation of cloud-specific information security controls that supplement the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards.

ISO 27017 certification demonstrates cloud service security to users, while ISO 27018 certification ensures that personal data is processed securely.

ISO/IEC 27017 applies to organisations that provide services within the Cloud computing environment and have an ISMS (information security management system) in place. As part of the ISMS, organisations can choose which controls from ISO/IEC 27002 they wish to implement based on their own risk assessment.

To summarise, ISO 27017 is a security standard that builds on ISO 27001. It includes additional security controls specifically for cloud service providers.