• Consulting

    ISO 22000 Certification

    Getting certified with the world's leading food safety management standard.

    ISO 13485 Certification

    Getting certified with the global standard used by healthcare industry.

    ISO 27001 Certification

    Getting certified with a globally accepted indication of security effectiveness.

    Medical Device Regulatory

    Establish a complete and effective medical device regulatory strategy.

    ISO Consulting

    Increase product and service quality with Stendard's ISO consulting.

  • Software

    Stendard Solution™

    Summary of our product and features that may help your business process even greater and possibly solve your difficulties in business process.

    ISO Template

    Use our document generator to generate each Manual, Procedure, Form Templates and etc. Define the step-by-step instructions needed for each operation within the Work Instructions.

    Dashboard

    A powerful tool that streamlines the monitoring process and helps users make informed decisions based on the data that is most relevant to their needs.

    Library

    A simple but powerful module for you to store, organise and edit your files seamlessly without any hassle.

    Document Management System

    With Document Control, never worry about inaccuracy and non-compliance of documentation files and processes ever again.

    Workflow

    An effective way to reduce paperwork related hindrance within the workplace and improve organisational efficiency.

    Data Table

    With the ability to add, edit, and delete data, import data from external sources, and search and sort data, you can easily organize, analyze, and report on data in a more efficient manner.

    Form Builder

    Create any form that you need to support your daily activities. As the name suggests, building a form is now a breeze as you drag & drop components in.

    Academy

    Our aim at Stendard is not only to provide you with quality consulting services. We want to empower our clients such as yourself by providing a wide range of ISO related courses.

    Training Plan

    Create your training plan to group your training courses. By setting up these plan, you can set multiple items to be trained by several team members at once.

    Evidence Submission

    Compile and organise essential documents required for audits. With this module, you will be able to breeze through any up and coming audits without fearing missing or incorrect documents!

    Artificial Intelligence

    Our AI engine for Document Classification will help you significantly speed up the document classification process and allow less room for human error when handling these vast amounts of documents.

    Change Log

    Changelog will list all the updates and patches we have made to every software update to ensure that you know the new features or updates introduced to the system.

    Audit Trail

    You can ensure that accountability is incorporated into your organisation’s document management system with a robust audit trail system.

    Search (OCR)

    A simple but powerful tool to locate every single document you need.

  • Academy
  • About
Stendard Solution™
Contact Us
Search
Close this search box.

What is ISO 27017? Importance, Standards and Certification.

iso 27017

Due to the Covid-19 pandemic, there has been a gradual increase in cloud service adoption within the last two years to help cater to the rise in remote work. Cloud service providers supply cloud computing which is flexible and productive for their cloud service customers to get the job done in their comfort zone.

In contrast, when the management of cloud security is neglected or information security aspects are improperly handled, it may result in security threats and higher business costs.

From the Cloud Security Report 2021, some of the significant security concerns regarding cloud services are listed below:

  • Data Loss or Data Leakage – 69% of most organisations regard this as their critical information security management concern. The scope of ease in data sharing in virtual cloud services raised concerns about security controls.

  • Data Privacy and Confidentiality – Most organisations adopt cloud services without having critical knowledge of information security controls or additional implementation guidance to ensure their employees understand their responsibilities in using the cloud services. The lack of controls and implementation guidance might cause sensitive data to be exposed.

  • Regulatory compliance requirements related to physical data movement, such as protected information to virtual computing environments, might make regulatory compliance more tedious. This is due to limited information security controls in some layers of cloud computing infrastructure.

  • Loss of Visibility – The organisation (cloud service customer) engaged with a cloud service provider to adopt cloud computing for their corporate network, which the organisation itself does not own. Some organisations might not have adequate information technology security techniques or relevant controls. This limits their monitoring responsibilities on cloud platforms to protect themselves against potential threats.

To mitigate the abovementioned concerns, organisations need to adopt a strategic practice for information security, such as using ISO/IEC 27017. It examines both the roles and responsibilities of cloud service providers and cloud service customers on the cloud computing platform.

What is ISO 27017? 

ISO/IEC 27017:2015 provides information security guidelines for organisations that use cloud services. The international standard recommends and assists cloud service providers with the information security controls applicable to their cloud service. This code of practice also supplements the guidance of ISO/IEC 27002 and ISO/IEC 27001 standards by including implementation guidance and additional controls specific to cloud service.

Why is ISO 27017 important? 

According to IBM 2021 report, to completely resolve a data breach costs an average of $4.24 million US dollars. ISO/IEC 27017 provides a framework that advises aligning security management for cloud service and virtual and physical networks.

When your organisation is committed to this international standard, there will be a significant reduction in the likelihood of data breaches, increasing your customers’ confidence.

Your customers must trust that their data is safe in the cloud service. Therefore as a cloud service provider, it is crucial to signal to your cloud service customer that your organisation takes security threats such as data breaches seriously and is making every effort to minimise them. Certifying ISO 27017 assures customers that their information in the cloud is secured.

Is ISO 27017 a certification?

Since ISO 27017 is not a management system standard, unlike ISO 27001, you can’t attain certification for this standard. However, you can certify against ISO 27017 during an ISO 27001 certification process. To do so, you have to include the specific controls in ISO 27017 into the scope of the ISO 27001 certification audit. Expanding your ISO 27001 scope to cover the ISO 27017 controls allows you to attain an independently verified certification to demonstrate the conformance to that standard.

What is the latest version of ISO 27017?

ISO/IEC 27017:2015 – Information Technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services is the latest version of this international standard published in 2015. This standard is part of the ISO/IEC 27000 family of standards concerning information security management. The standard extends from ISO/IEC 27002 for cloud environments to include additional controls not originally included in ISO/IEC 27002.

What are the domains of ISO 27001?

The latest version of ISO 27001: 2013 contains 14 domains, and a risk assessment should determine which controls are needed while others can be excluded from the information security management system. The respective 14 domains are listed below:

  • Information security policies
  • Organisation of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

How many controls are there in ISO 27017?

ISO/ IEC 27017: 2015 provides guidance on 37 controls based on ISO/IEC 27002 and also includes seven exclusive controls, which are:

  • Shared roles and responsibilities within a cloud computing environment
  • Removal and retrieval of cloud service customer assets upon termination of the contract
  • Protection and segregation of customer’s virtual computing environment from other customer data
  • Virtual machine hardening to cater to business requirements
  • Administrator operational security
  • Enable customers to monitor their cloud computing activities
  • Alignment of security management for physical and virtual networks

What is the difference between ISO 27017 and ISO 27018?

ISO 27017 provides a framework which includes additional guidance and recommendations for implementing cloud-specific information security controls based on ISO 27002. ISO 27018 guides ensure privacy in cloud computing services, assisting cloud service providers in properly handling personally identifiable information.

Conclusion

ISO 27017: 2015 sets out guidelines for a cloud service provider to implement to provide a safeguarded cloud-based service and reduce the potential security threats. Your organisation needs to implement ISO 27017 if your organisation is a cloud storage provider or uses cloud storage directly for your business operations.

Customers are more likely to work with your organisation if they are confident that their data are handled safely. Your organisation will benefit from a better company image and reduced risk of security damage; therefore, it is strongly encouraged to comply with ISO 27017.

To comply with ISO 27017, your organisation must first undergo ISO 27001 certification. Expanding ISO 27017 controls into ISO 27001 scope will allow you to achieve the statement certifying that your organisation complies with ISO 27017 under your ISO 27001 certificate.

If your organisation needs help with compliance with ISO 27017, let us assist you in complying with the regulatory requirements more efficiently.

Sources

1. https://www.ibm.com/downloads/cas/OJDVQGRY

Stendard's ISO Consulting Services

Learn More

our Academy e-learning course:

See more info
Show me all available courses
See more info

Do you have any questions?

Drop us an inquiry now!

Get In Touch

REGULATION

ISO Consulting

RESOURCES

COMPANY

SOFTWARE

CONNECT WITH US

Facebook Twitter Linkedin

© 2016-2024 YNL 360 Pte Ltd d.b.a Stendard. All rights reserved.

TERMS OF SERVICEPRIVACY POLICY.