Diving deeper into Cloud Security: The ISO 27017

The business comparison website Expert Insight found that 79% of companies have experienced at least one cloud data breach in the last 18 months.  

And the number of these types of attacks has been rising constantly for years. One might think that cloud solutions pose an increased security risk. However, that's not quite true. The rising number of attacks stems from the increasing popularity and use of cloud solutions and services. In fact, cloud solutions are often more secure than internally hosted IT because they automatically receive regular security updates. 

But not all clouds are created equal, and there are definitely providers and solutions with serious gaps in information security and data protection. Certifications such as ISO 27017 can help businesses to weed out bad players. 

Therefore, check your cloud service providers, if possible: Is there an own certification of the information security management system? Are there results of security tests (so-called penetration tests)? What contractual assurances does the service provider give?  

What is ISO 27017: A Quick Overview 

ISO 27017 is a security standard specifically for cloud service providers. It was developed by the International Organisation for Standardisation (ISO), an international body that develops and publishes standards for a wide range of products and services. 

ISO 27017 is to help organisations secure their data in the cloud. It covers a range of security controls, including: 

  • Information lifecycle management 

ISO 27017 is based on ISO 27002, a standard for information security management. We will compare different standards below. 

Purpose of ISO 27017: Getting deeper into Cloud Security 

The results and consequences of data breaches can be devastating if ISO 27017 is not put into place and strictly followed. For example, studies show that a breach of data can cost a company up to £2,000 or more. 

So, what is the purpose of ISO 27017? 

The standard provides guidance on implementing security controls within a cloud environment. This includes risk assessment and management, as well as security controls for access control, cryptography, physical and environmental security, and information lifecycle management. 

It is a code of practice that will negate some of the risks involved with storing information in the cloud, especially regarding data breaches. 

ISO 27017 is not a silver bullet that will guarantee the security of your data, but it is a good starting point.

Who can benefit from ISO 27017?

Any organisation that uses cloud services can benefit from ISO 27017. This includes small businesses, large enterprises, and government agencies. 

The standard is becoming a requirement in many fields and industries, including projects that involve sensitive information such as government contracts. Much like food safety standards in hospitality, ISO 27017 is becoming the norm for cloud service providers. While it is true that your clients will feel safe, it is also important to ISO 27017 for your own reputation. 
Your business will be seen as more trustworthy, and you will be able to command higher prices for your services. 

For those who offer cloud services, such as SaaS businesses, or you use cloud services to store confidential and sensitive information, it is crucial that you adhere to the standards set by ISO.  
You will see an uptick in business, client retention, and customer service by showing your clients that you are trustworthy and take their security seriously.  

Benefits of ISO 27017 Certification: Implementing Security 

If you are still wondering whether you should implement ISO 27017, let's take a look at some of the critical benefits involved when implementing the security standard. 

For example, ISO 27017 certification can: 

Help you win new business: Many organisations now require ISO 27017 certification as a prerequisite for doing business with them. 

Demonstrate to your customers that you take their security seriously: ISO 27017 certification is a great way to show your customers that you are committed to protecting their data. 

Increase confidence in your security posture: ISO 27017 certification can help increase your security posture, both internally and externally. 

Secures your brand image: ISO 27017 accreditation might assist you in safeguarding your brand image if a data leak happens. 

Protects you from legal action: ISO 27017 certification can help protect you from legal action in the event of a data breach. 

ISO 27017 is a comprehensive security standard covering various security controls. 

ISO 27017: Integration Standards 

ISO 27017 integrates with other security standards, such as ISO 27001. ISO 27001 is the ideal standard for any business, but ISO 27017 and ISO 27018 provide specific advantages for businesses that use cloud services. 

What does ISO 27001 include? 

ISO 27001 is a security standard that includes a set of requirements and guidelines for an Information Security Management System (ISMS). An ISMS is a system that helps organisations to manage their security risks. In fact, the ISO 27001 includes a six-step process to provide the best security possible. 

The steps include: 

  • Defining a security policy 
  • Conducting a risk assessment 
  • Implementing controls 
  • Communicating the security policy 
  • Monitoring and reviewing the security posture 
  • Maintaining the control objectives 

It also provides guidance on 37 additional controls, including: 

  • Operations security 
  • Asset management 
  • HR security 
  • Access control 
  • Reduced risk exposure 

What does ISO 27017 add? 

As you can see, ISO 27001 already sets the standard for information security management systems. So, what does ISO 27017 add? 

The standard builds on ISO 27001 and includes additional security controls specifically for cloud service providers. 

This includes controls for: 

ISO 27017 also includes guidance on implementing ISO 27001 in a cloud computing environment. 

Becoming ISO 27017 Certified: Step by Step Guide 

ISO 27017 certification is a great way to show your commitment to security if you are a cloud service provider. 

So how do you accomplish this trust with your clients? Let's take a look. 

Step One: Become 27001 Certified 

The first step to becoming ISO 27017 certified is to achieve ISO 27001 certification. You can do this by implementing an ISMS that meets the requirements of ISO 27001. 

Step Two: Implement ISO 27017 Controls 

Once you have ISO 27001 certification, you can start working on implementing the ISO 27017 security controls. You will need to implement all of the controls in ISO 27001 and the additional ISO 27017 controls. 

Step Three: Get ISO 27017 Certified 

Once you have implemented the ISO 27017 security controls, you can apply for ISO 27017 certification. You will need to go through an audit process to ensure that your security controls are up to par. 

If you are ISO 27001 certified, you may already be familiar with the audit process. 

Step Four: Maintain Your ISO 27017 Certification 

Once you are ISO 27017 certified, you will need to maintain your certification. You will need periodic audits to ensure that your security controls are still effective. 

Maintaining your ISO 27017 certification will show your clients that you are committed to security. 

ISO 27017 vs other standards 

We've discussed the relation ISO 27017 has to 27001. To summarise, ISO 27017 is a security standard that builds on ISO 27001. 

It includes additional security controls specifically for cloud service providers. 

ISO 27018 vs ISO 27017 

ISO 27018 is the other security standard specifically for cloud service providers. 

While there are similarities, considering they have the same foundations, ISO 27018 focuses on privacy, while ISO 27017 focuses on security. Additionally, ISO 27018 is a code of practice, while ISO 27017 is a specification. 

Which cloud standard is right for you: A quick summary 

Now that we've gone over the basics of ISO 27017, let's talk about which standard is suitable for you. 

If you are a cloud service provider, you should consider ISO 27017 certification. It's a great way to show your commitment to security. 

ISO 27001 is the ideal standard for any business, but ISO 27017 and ISO 27018 provide specific advantages that make them worth considering. ISO 27017 is an excellent choice for those who want to focus on security, while ISO 27018 is a great choice for those who want to focus on privacy. 

No matter which standard you choose, you can be sure that you are committing to security. 

Tackling Information Security with DataGuard 

You may already have noticed that standards such as ISO 27017 are phrased in a very abstract manner and contain hardly any concrete requirements and recommendations for action. Their implementation therefore relies on industry-specific expert advice. 

With our "Information Security as a Service" solution, we support you in setting up your Information Security Management System (ISMS) and prepare your business for an external ISO 27001 audit. 

Book a demo today or browse our blog for additional articles on security standards! 

Book an appointment

 

About the author

Get to know DataGuard

Simplify compliance

  • Streamline privacy, information security and compliance
  • Business advice - not legal jargon - from qualified experts
  • Time-saving technology to speed up repetitive tasks
  • Control your compliance budget with fair and transparent pricing

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Prepare for ISO 27001 or TISAX®️®
  • Create missing assets, policies and documentation
  • Eye-level support from infosec experts
  • Staff security and phishing training
  • Get answers to your most pressing questions

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk

Or call us now: +44 (0)20 3695-9373