discovered, explained
Secure cloud computing in accordance with ISO 27017
The international standard ISO 27017 contains specific requirements for the information security of cloud services. It provides providers and users of cloud-based services with efficient guidelines for implementing effective information security controls.
ISO/IEC 27017 is an international standard that provides guidelines for information security controls specifically tailored to the provision and use of cloud services.
As an extension of the ISO/IEC 27002 standard, ISO 27017 provides additional controls and implementation guidance to address cloud-specific information security risks. The standard supports both cloud service providers and customers in ensuring a secure cloud computing environment.
The requirements of ISO 27017 are specifically tailored to cloud service providers. For each area of the overarching ISO 27001 standard for information security, possible special features of cloud security are outlined. This methodology allows you to identify these security requirements more quickly and integrate them into your security management system.
ISO 27017 is based on the well-known standard for information security management systems ISO 27001 and supplements it with security aspects for cloud computing. Certification to ISO 27001 is therefore also a prerequisite for an extension to ISO 27017.
As every company has different requirements and the requirements for a management system vary, the question of the cost of ISO 27017 certification cannot be answered in general terms.
In principle, the number of days required for the two certification audits is decisive. While smaller and medium-sized companies generally require fewer days, larger companies and groups should plan more time and budget accordingly.
We would be happy to provide you with a customised quote.
Cloud service providers (CSPs): Cloud service providers can obtain certification to demonstrate that they have implemented the recommended security practices for cloud services. This helps them to strengthen the trust of their customers and differentiate themselves in the market.
Organisations that use cloud services: Organisations that use cloud services can also become certified to ensure that their use of cloud services complies with security requirements and to validate their own security practices.
The ISO 27017 certificate is valid for a maximum of 3 years.
A surveillance audit must be carried out in the first and second year after successful certification. After 3 years, a recertification audit is carried out to check whether the requirements for renewing the certificate are still met.
As ISO 27017 is an extension of ISO 27001 on the subject of the cloud, it can only be certified together with ISO 27001.
The necessary prerequisite for ISO 27017 certification is therefore an existing ISMS that fulfils the requirements of ISO 27001 or is already certified in accordance with it.
Do you already have an ISO 27001 certificate?
In this case, your existing ISMS will be audited separately in accordance with ISO 27017. The resulting certificate then corresponds to the term of your ISO 27001 certificate.
Is your ISO 27001 certificate expiring?
In this case, it makes sense to synchronise the audits for ISO 27001 and ISO 27017.
Are you aiming for joint certification to ISO 27001 & ISO 27017?
If you start with ISO 27001 and ISO 27017 at the same time, the audits for the two standards will be synchronised.