Certification and cloud providers
Assign topic to the user
How am I going to become 27001 compliant without implementing 27017? Is there perhaps a document where I can write that we have outsourced security in the cloud to this ISO-certified provider? Will that be enough?
Challenging my sponsor to either implement ISO27017 or in-source all outsourced data, will be complicated, to say the least.
Answer: First of all, even though your organization uses cloud services, it doesn't need to implement ISO 27017 to be compliant with ISO 27001. It is true that ISO 27017 provides cloud oriented recommendations and guidelines to help implement controls from ISO 27001 Annex A, but ISO 27001 controls are generic enough to cover cloud information security risks without the need to relay on ISO 27017.
Considering the fact that almost all data is placed at cloud pro viders, the main documents you should consider to record and handle this situation are the ISMS scope (where you have to state that some organization data are handled by cloud providers), the Statement of applicability (where you have to state which controls are to be implemented by cloud providers), and the service agreements/contracts signed between the organization and the cloud providers (where you have to include information security clauses the cloud providers must comply with).
You should note that, even if your sponsor wants to fulfil only the bare necessities of ISO 27001, since the data placed on cloud providers, the organization will have to consider these providers when performing the risk assessment and risk treatment process required by the standard, at risk of leaving a significant part of the information out of the process and thus not being able to comply with the standard.
This article will provide you further explanation about ISO 27017:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
These articles will provide you further explanation about handling suppliers:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
Comment as guest or Sign in
Nov 09, 2017