What is ISO 27017: A Quick Overview
ISO 27017 is a security standard specifically for cloud service providers. It was developed by the International Organisation for Standardisation (ISO), an international body that develops and publishes standards for a wide range of products and services.
ISO 27017 is to help organisations secure their data in the cloud. It covers a range of security controls, including:
- Information lifecycle management
ISO 27017 is based on ISO 27002, a standard for information security management. We will compare different standards below.
Purpose of ISO 27017: Getting deeper into Cloud Security
The results and consequences of data breaches can be devastating if ISO 27017 is not put into place and strictly followed. For example, studies show that a breach of data can cost a company up to £2,000 or more.
So, what is the purpose of ISO 27017?
The standard provides guidance on implementing security controls within a cloud environment. This includes risk assessment and management, as well as security controls for access control, cryptography, physical and environmental security, and information lifecycle management.
It is a code of practice that will negate some of the risks involved with storing information in the cloud, especially regarding data breaches.
ISO 27017 is not a silver bullet that will guarantee the security of your data, but it is a good starting point.
Who can benefit from ISO 27017?
Any organisation that uses cloud services can benefit from ISO 27017. This includes small businesses, large enterprises, and government agencies.
The standard is becoming a requirement in many fields and industries, including projects that involve sensitive information such as government contracts. Much like food safety standards in hospitality, ISO 27017 is becoming the norm for cloud service providers. While it is true that your clients will feel safe, it is also important to ISO 27017 for your own reputation.
Your business will be seen as more trustworthy, and you will be able to command higher prices for your services.
For those who offer cloud services, such as SaaS businesses, or you use cloud services to store confidential and sensitive information, it is crucial that you adhere to the standards set by ISO.
You will see an uptick in business, client retention, and customer service by showing your clients that you are trustworthy and take their security seriously.
Benefits of ISO 27017 Certification: Implementing Security
If you are still wondering whether you should implement ISO 27017, let's take a look at some of the critical benefits involved when implementing the security standard.
For example, ISO 27017 certification can:
Help you win new business: Many organisations now require ISO 27017 certification as a prerequisite for doing business with them.
Demonstrate to your customers that you take their security seriously: ISO 27017 certification is a great way to show your customers that you are committed to protecting their data.
Increase confidence in your security posture: ISO 27017 certification can help increase your security posture, both internally and externally.
Secures your brand image: ISO 27017 accreditation might assist you in safeguarding your brand image if a data leak happens.
Protects you from legal action: ISO 27017 certification can help protect you from legal action in the event of a data breach.
ISO 27017 is a comprehensive security standard covering various security controls.
ISO 27017: Integration Standards
ISO 27017 integrates with other security standards, such as ISO 27001. ISO 27001 is the ideal standard for any business, but ISO 27017 and ISO 27018 provide specific advantages for businesses that use cloud services.
What does ISO 27001 include?
ISO 27001 is a security standard that includes a set of requirements and guidelines for an Information Security Management System (ISMS). An ISMS is a system that helps organisations to manage their security risks. In fact, the ISO 27001 includes a six-step process to provide the best security possible.
The steps include:
- Defining a security policy
- Conducting a risk assessment
- Implementing controls
- Communicating the security policy
- Monitoring and reviewing the security posture
- Maintaining the control objectives
It also provides guidance on 37 additional controls, including:
- Operations security
- Asset management
- HR security
- Access control
- Reduced risk exposure
What does ISO 27017 add?
As you can see, ISO 27001 already sets the standard for information security management systems. So, what does ISO 27017 add?
The standard builds on ISO 27001 and includes additional security controls specifically for cloud service providers.
This includes controls for:
- Risk assessment and management
- Security of information in the cloud
- Cloud service provider security responsibility
- Incident management
ISO 27017 also includes guidance on implementing ISO 27001 in a cloud computing environment.
Becoming ISO 27017 Certified: Step by Step Guide
ISO 27017 certification is a great way to show your commitment to security if you are a cloud service provider.
So how do you accomplish this trust with your clients? Let's take a look.
Step One: Become 27001 Certified
The first step to becoming ISO 27017 certified is to achieve ISO 27001 certification. You can do this by implementing an ISMS that meets the requirements of ISO 27001.
Step Two: Implement ISO 27017 Controls
Once you have ISO 27001 certification, you can start working on implementing the ISO 27017 security controls. You will need to implement all of the controls in ISO 27001 and the additional ISO 27017 controls.
Step Three: Get ISO 27017 Certified
Once you have implemented the ISO 27017 security controls, you can apply for ISO 27017 certification. You will need to go through an audit process to ensure that your security controls are up to par.
If you are ISO 27001 certified, you may already be familiar with the audit process.
Step Four: Maintain Your ISO 27017 Certification
Once you are ISO 27017 certified, you will need to maintain your certification. You will need periodic audits to ensure that your security controls are still effective.
Maintaining your ISO 27017 certification will show your clients that you are committed to security.
ISO 27017 vs other standards
We've discussed the relation ISO 27017 has to 27001. To summarise, ISO 27017 is a security standard that builds on ISO 27001.
It includes additional security controls specifically for cloud service providers.
ISO 27018 vs ISO 27017
ISO 27018 is the other security standard specifically for cloud service providers.
While there are similarities, considering they have the same foundations, ISO 27018 focuses on privacy, while ISO 27017 focuses on security. Additionally, ISO 27018 is a code of practice, while ISO 27017 is a specification.
Which cloud standard is right for you: A quick summary
Now that we've gone over the basics of ISO 27017, let's talk about which standard is suitable for you.
If you are a cloud service provider, you should consider ISO 27017 certification. It's a great way to show your commitment to security.
ISO 27001 is the ideal standard for any business, but ISO 27017 and ISO 27018 provide specific advantages that make them worth considering. ISO 27017 is an excellent choice for those who want to focus on security, while ISO 27018 is a great choice for those who want to focus on privacy.
No matter which standard you choose, you can be sure that you are committing to security.
Tackling Information Security with DataGuard
You may already have noticed that standards such as ISO 27017 are phrased in a very abstract manner and contain hardly any concrete requirements and recommendations for action. Their implementation therefore relies on industry-specific expert advice.
With our "Information Security as a Service" solution, we support you in setting up your Information Security Management System (ISMS) and prepare your business for an external ISO 27001 audit.
Book a demo today or browse our blog for additional articles on security standards!
