Cloud solutions introduce specific security risks that can be mitigated by an ISO/IEC 27001 management system combined with related certifications.
As with every management system standard, ISO/IEC 27001 applies to all organizations. As such, certain cloud requirements are either not covered or need further elaboration. The following standards provide additional controls to the ISO/IEC 27001 management system to help enhance certification.
Used with ISO/IEC 27001, ISO/IEC 27017 provides enhanced controls for cloud service providers (CSPs) and customers.
It outlines both parties’ roles and responsibilities to help make cloud services as secure as other data within a certified information security management system (ISMS).
ISO/IEC 27017 provides cloud-related guidance on several ISO/IEC 27002 controls, as well as some new cloud controls that address:
Used with ISO/IEC 27001, ISO/IEC 27018 provides specific guidance and additional controls to CSPs acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.
Alongside an ISO/IEC 27001-compliant ISMS, Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR) certification allows organizations to adopt cloud services by promoting greater transparency and shared responsibility.
CSA STAR certification involves a rigorous, independent third-party assessment of the security posture. CSPs and customers can demonstrate adherence to this well-established, globally recognized security control specific to cloud services. It is based on achieving ISO/IEC 27001 certification and criteria specified in the Cloud Controls Matrix (CCM).
Certification also demonstrates that applicable cloud security issues have been assessed against the STAR Capability Maturity Model for managing activities in CCM control areas.
Together with an existing ISO/IEC 27001 certificate, CSA STAR certification provides evidence of an actively managed cloud security program.
These three certifications depend on an underlying ISO/IEC 27001 certificate. Selection of these schemes will be based on the organization’s specific needs. ISO/IEC 27001 is a starting point, as it is possible to get certification for all of them simultaneously.
SGS InfoSec solutions can improve your efficiency while guiding you towards compliance with internationally recognized standards.
Our certification schemes cover many areas, including data processing and protection, cloud storage, facility and lottery security, and responding to business-critical events.
Our solutions include assessments and certifications to these standards:
Our expert instructors provide consistent, effective and high-quality training to ensure that your employees have the latest skills to enhance your organization. Our training methods include public, in-house, eLearning, virtual and blended learning.
Training includes four key courses to support ISO/IEC 27001 – Introduction, Implementation, Internal Auditor and Lead Auditor – and Cybersecurity Maturity Model Certification (CMMC).