Cybercraft
← Back to Strategic services Strategic

Looking for cloud security certification? ISO 27001 is the foundation.

ISO 27017 and ISO 27018 add cloud-specific controls on top of your ISO 27001 ISMS. If you are not yet ISO 27001 certified, that is the right starting point. If you are already certified and need to address cloud or privacy obligations for clients, these extensions are the next step.

What's involved

ISO 27017 and ISO 27018 provide cloud-specific security and privacy controls that extend your ISO 27001 ISMS. If you're a SaaS provider, cloud-native organisation, or process PII in public cloud environments, these standards demonstrate to your clients that you take cloud security seriously.

ISO 27017 covers cloud-specific information security controls for both cloud service providers and cloud customers. ISO 27018 adds PII protection controls specific to public cloud computing. Together, they address the unique risks of cloud environments that ISO 27001 alone doesn't fully cover.

These implementations build on your existing ISO 27001 ISMS and can be pursued individually or together, depending on your client requirements and the nature of your cloud services.

Deliverables

  • Cloud-specific gap analysis against ISO 27017 and/or ISO 27018
  • Cloud security risk assessment and treatment plan
  • Extended Statement of Applicability for cloud controls
  • Cloud-specific policies, procedures, and operational guidelines
  • Shared responsibility documentation for cloud service arrangements
  • Certification audit preparation and support

Business benefits

  • Demonstrate cloud security maturity to enterprise clients and regulators
  • Address cloud-specific risks that ISO 27001 alone doesn't fully cover
  • Clear shared responsibility documentation for your cloud arrangements
  • Competitive advantage for SaaS providers in security-conscious markets

Engagement process

Gap analysisCurrent cloud security controls assessed against ISO 27017/27018 requirements.
Cloud risk assessmentCloud-specific risks identified and assessed, including shared responsibility boundaries with cloud providers.
Control implementationCloud security and privacy controls implemented and integrated into your existing ISMS.
DocumentationCloud-specific policies, shared responsibility matrices, and operational procedures documented.
Certification supportAudit preparation and support through to successful certification.
Talk to us about cloud security

Not yet ISO 27001 certified?

ISO 27001 is the essential foundation before cloud-specific extensions. See what the certification path looks like for a business your size.

See the ISO 27001 path

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.

Kaurna Acknowledgement

We acknowledge and pay our respects to the Kaurna people, the traditional custodians of the ancestral lands on which we work. We acknowledge the deep feelings of attachment and relationship of the Kaurna people to country and we respect and value their past, present and ongoing connection to the land and cultural beliefs.