Guest user Created: Mar 13, 2020 Last commented: Mar 13, 2020

ISO 27017 certification process

My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001. It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it? My second question is: Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 13, 2020

My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001.
It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it?

First, it is important to note that ISO 27017 is not a certifiable standard. What some certification bodies do is to "certify" against ISO 27017 during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series.

Considering that, to be "certified" against ISO 27017 all you need to do is to include the applicable controls related to ISO 27017 in your Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process), update your risk treatment plan, implement required controls and notify your certification body about the changes (so it can adjust the certification/surveillance audits accordingly).

For further information, see:

ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

My second question is : Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

ISO 27001 has enough security controls to allow an organization to be certified considering cloud computing services in its ISMS scope. You only would need to include controls from ISO 27017 if your organization has specific requirements demanding the implementation of ISO 27017 controls (e.g., laws, regulations or contracts).

This article will provide you further explanation about ISMS scope:

How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 13, 2020

Expert Advice Community