EN 
NL 
DE 
Organisations offering cloud services (Infrastructure or Platform or Software as a Service) as well as the customers of these cloud services increasingly want additional guarantees that their data are really well secured. With DigiTrust's ISO 27017 and ISO 27018 certifications, companies can demonstrate exactly that. Both standards are intended for cloud services, demonstrating that the security of information in the cloud is properly secured.
Context
ISO 27001 describes the requirements of an information security management system. This standard refers to the Annex A control measures. These are further detailed in the ISO 27002. The ISO 27017 and ISO 27018 are based on the ISO 27002. However, the standards are different and have different purposes. The standards not only ensure that Cloud Service Providers properly protect customers' data, but also give important obligations to communicate with customers in case of problems. In addition, a contract must be in place that establishes that the data remains secure and the provider can only access that data with the customer's permission.
ISO 27017 - Cloud security
ISO 27017 imposes requirements on cloud suppliers but also on the customers of these cloud services. The standard contains cloud-specific control measures, no matter what kind of data is processed. The standard talks about "cloud service customer" and about "cloud service provider". Specific and generic requirements have been defined for both the customer and provider. ISO 27017 has established 37 requirements in addition to the ISO27002 control measures and seven additional measures.
ISO 27018 - Privacy protection
ISO 27018 is intended only for cloud providers that process personal data (the standard calls it Personally Identifiable Information, PII) and focuses on the security and handling of this data. Think of customer personal data, health and patient information or information about citizens. For many customers, an ISO27018 certification from the cloud service provider gives extra assurance that this sensitive data will not end up in the wrong hands. The standard is also based on ISO27002, but has an additional set of management measures specifically aimed at protecting personal data. These include consent, data minimisation and privacy complaints. Fully in line with the requirements of the AVG.
Which standard to certify for?
The ISO27001 is the most well-known and requested standard against which it is audited and DigiTrust certifies under accreditation. For this reason, ISO27001 is often asked for in contracts and tenders and not ISO270017 or ISO27018. Nevertheless, these standards are important for organisations offering cloud services and end users of these services. Usually, organisations with cloud services choose a combination of ISO 27001 and ISO 27017. Organisations that additionally process a lot of personal data usually opt for all three standards. Because both standards are based on ISO 27002, the step to become certified in accordance with ISO27017 and/or ISO27018 is quite small for organisations that are already ISO 27001 certified. The vast majority of additional measures are already implemented, including through hosting contracts and processor agreements, but need to be tightened up.
More information
Would you like more information about ISO 27017 or ISO 27018 certifications? Then get in touch with DigiTrust's specialists. Call 088-2245600 or mail to info@digitrust.nl.
