ISO 27017 certification

Answer:

First it is important to note that ISO 27017 is not a certifiable standard. It only provides additional guidelines for the implementation of ISO 27001 Annex A controls, although there are some certification bodies issuing unofficial certificates for ISO 27017, provided that the organization already has an ISO 27001 certification.

Considering that, your understanding is correct about only needing to implement necessary additions covering specifics from ISO 27017 in an ISO 27001 certified ISMS to claim compliance with ISO 27017.

This article will provide you further explanation about ISO 27017:
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://ad visera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

We've received additional question:

>Thanks for the answer, but I still have not received a response to the question, are there any documents that can only be used for 27017 assuming that I already have prepared documents for 27001?

Answer:

First of all, sorry for this confusion.

Most of the adjustments to include ISO 27017 recommendations can be made on existent ISO 27001 documents. The only documents you should create specifically for ISO 27017 are a Cloud Security Policy and a Policy for Data Privacy in the Cloud.

To see an example on how ISO 27017 recommendations relate to ISO 27001 documents, please take a look at the List of documents file of our ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit at this link: https://advisera.com/wp-content/uploads//sites/5/2019/03/List_of_documents_ISO_27001_ISO_27017_ISO_27018_Cloud_Documentation_Toolkit_EN.pdf