EN 
NL 
DE ISO 27017 and ISO 27018
These ISO 27017 and ISO 27018 standards complement your ISO 27001 certification. If you want to stand out as a cloud provider, discuss the possibilities with us.
- Your audit starts when it suits your organisation
- Personal guidance throughout the certification process.
- Sharp prices
More than 500 organisations have already gone before you.
The standards explained
DigiTrust certifies Cloud services according to ISO 27017 and ISO 27018
Organisations offering cloud services (Infrastructure or Platform or Software as a Service) as well as the customers of these cloud services increasingly want additional guarantees that their data are really well secured. With DigiTrust's ISO 27017 and ISO 27018 certifications, companies can demonstrate exactly that. Both standards are intended for cloud services, demonstrating that the security of information in the cloud is properly secured.
Context ISO 27017 and ISO 27018
ISO 27001 describes the requirements of an information security management system. This standard refers to the Annex A control measures. These are further detailed in the ISO 27002. The ISO 27017 and ISO 27018 are based on the ISO 27002. However, the standards are different and have different purposes. The standards not only ensure that Cloud Service Providers properly protect customers' data, but also give important obligations to communicate with customers in case of problems. In addition, a contract must be in place that establishes that the data remains secure and the provider can only access that data with the customer's permission.
![logo-zl-concern[1]](https://www.digitrust.nl/wp-content/uploads/2025/02/logo-zl-concern1-300x90.jpg){kind=logo}
![cmyk-Logo Cura Mare [top]](https://www.digitrust.nl/wp-content/uploads/2024/09/RGB-Logo-CuraMare-300x45.jpg){kind=logo}
or call one of our specialists
The steps explained
Certify for ISO 27017 or ISO 27018?
ISO 27001 is the most widely known and requested standard against which it is audited and DigiTrust certifies under accreditation. For this reason, ISO 27001 is often asked for in contracts and tenders and not ISO 27017 or ISO 27018. Nevertheless, these standards are important for organisations offering cloud services and end users of these services. Usually, organisations with cloud services choose a combination of ISO 27001 and ISO 27017. Organisations that additionally process a lot of personal data usually opt for all three standards. Because both standards are based on ISO 27002, the step to become certified in accordance with ISO27017 and/or ISO27018 is quite small for organisations that are already ISO 27001 certified. The vast majority of additional measures are already implemented, including through hosting contracts and processor agreements, but need to be tightened up.
During the Pre-audit, we check whether you are ready for certification. What is the status of the management system? Are there any issues that may not be in order? Together with you, DigiTrust can determine which topics should be covered during this pre-audit. We also determine the duration together. Usually this is between 2 and 4 days for a good picture of the management system and all control measures. After each pre-audit, DigiTrust provides you with a clear audit report, detailing where you may not yet be working in accordance with the requirements.
Tip; this is a frequently chosen option. It really gets you started in the process and immediately gives you a good idea of where you stand as an organisation.
Initial certification
DigiTrust tests whether the system works and functions according to the requirements from ISO 27001. This assessment also includes the review of all operations at your office as well as at the implementation site. The initial certification consists of 2 parts. The phase 1 and phase 2 audit.
During the phase 1 audit, we take an outline look at your management system (ISMS) and whether you are really ready for the phase 2 audit. We will also create the audit plan together for the phase 2. Who do we need when.
During the phase 2 audit, we test the ISMS and all management measures.
Phase 1
During the phase 1 audit, we take an outline look at your management system (ISMS) and whether you are really ready for the phase 2 audit. We will also create the audit plan together for the phase 2. Who do we need when.
Phase 2
During the phase 2 audit, we test the ISMS and all management measures.
Issue certificate
In case of a positive assessment, the auditor will nominate the organisation for certification. The certification manager will do a quality check on the file. If everything is in order, you will receive the ISO 27001 certification.
Control 1
During the term of the certificate, which is usually three years, DigiTrust will conduct an annual surveillance audit. During a surveillance audit, we take a sample on the various standard elements. In case of a positive assessment, the current certificate will be continued.
Control 2
DigiTrust will visit about three months before the certificate expires for the reassessment. This assessment is of the same scope as the one at step 2 and should ensure that if the result is positive, the certificate is renewed for another three years.
ISO 27017 Cloud security
ISO 27017 imposes requirements on cloud suppliers but also on the customers of these cloud services. The standard contains cloud-specific control measures, no matter what kind of data is processed. The standard talks about "cloud service customer" and about "cloud service provider". Specific and generic requirements have been defined for both the customer and provider. ISO 27017 has established 37 requirements in addition to the ISO27002 control measures and seven additional measures.
ISO 27018 Privacy protection
ISO 27018 is intended only for cloud providers that process personal data (the standard calls it Personally Identifiable Information, PII) and focuses on the security and handling of this data. Think of customer personal data, health and patient information or information about citizens. For many customers, an ISO27018 certification from the cloud service provider gives extra assurance that this sensitive data will not end up in the wrong hands. The standard is also based on ISO27002, but has an additional set of management measures specifically aimed at protecting personal data. These include consent, data minimisation and privacy complaints. Fully in line with the requirements of the AVG.
Questions about a ISO 27017 and ISO 27018 or curious about the possibilities?
Our specialists will be happy to tell you more about it. Call us at 088-224 56 00, please email us at sales@digitrust.nl or use our online contact form. We will be happy to visit you for a no-obligation introduction.
Read more here On acquiring the relevant standard.
More than 300 organisations have already gone before you.