Expert Advice Community

Guest

ISO 27017 certification process

  Quote
Guest
Guest user Created:   Mar 13, 2020 Last commented:   Mar 13, 2020

ISO 27017 certification process

My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001.
It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it?

My second question is: Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 13, 2020

My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001.
It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it?

First, it is important to note that ISO 27017 is not a certifiable standard. What some certification bodies do is to "certify" against ISO 27017 during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series.

Considering that, to be "certified" against ISO 27017 all you need to do is to include the applicable controls related to ISO 27017 in your Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process), update your risk treatment plan, implement required controls and notify your certification body about the changes (so it can adjust the certification/surveillance audits accordingly).

For further information, see:

My second question is : Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

ISO 27001 has enough security controls to allow an organization to be certified considering cloud computing services in its ISMS scope. You only would need to include controls from ISO 27017 if your organization has specific requirements demanding the implementation of ISO 27017 controls (e.g., laws, regulations or contracts).

This article will provide you further explanation about ISMS scope:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 13, 2020

Mar 13, 2020

Suggested Topics

Guest user Created:   Aug 27, 2018 ISO 27001 & 22301
Replies: 1
0 0

Cloud security controls

Guest user Created:   Mar 02, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISO 27017