A technical trio to support your cloud solutions


Cloud solutions introduce specific security risks that can be mitigated by an ISO/IEC 27001 management system combined with related certifications.

As with every management system standard, ISO/IEC 27001 applies to all organizations. As such, certain cloud requirements are either not covered or need further elaboration. The following standards provide additional controls to the ISO/IEC 27001 management system to help enhance certification.

1. Introducing ISO/IEC 27017

Used with ISO/IEC 27001, ISO/IEC 27017 provides enhanced controls for cloud service providers (CSPs) and customers.

It outlines both parties’ roles and responsibilities to help make cloud services as secure as other data within a certified information security management system (ISMS).

ISO/IEC 27017 provides cloud-related guidance on several ISO/IEC 27002 controls, as well as some new cloud controls that address:

  • CSP and customer responsibilities
  • Removing/returning assets when a contract terminates
  • Protecting and separating the customer’s virtual environment
  • Virtual machine configuration
  • Cloud environment administration and procedures
  • Monitoring customer activity within the cloud
  • Virtual and cloud network environment alignment
2. Introducing ISO/IEC 27018

Used with ISO/IEC 27001, ISO/IEC 27018 provides specific guidance and additional controls to CSPs acting as processors of personally identifiable information (PII) on assessing risks and implementing state-of-the-art controls for protecting PII.

ISO/IEC 27017 & ISO/IEC 27018’s benefits
  • Greater trust in your organization by providing better reassurance that customer/stakeholder data is protected
  • A competitive advantage by showing that robust controls are in place
  • Protect brand reputation by reducing the risk of bad publicity due to data breaches
  • Reduce risks by identifying issues and ensuring that controls are in place
  • Protect against fines by ensuring compliance with local regulations
  • Grow your business by providing common guidelines across many countries, making it easier to do business globally and to access preferred suppliers
3. Introducing CSA STAR certification

Alongside an ISO/IEC 27001-compliant ISMS, Cloud Security Alliance (CSA) Security, Trust, Assurance and Risk (STAR) certification allows organizations to adopt cloud services by promoting greater transparency and shared responsibility.

CSA STAR certification involves a rigorous, independent third-party assessment of the security posture. CSPs and customers can demonstrate adherence to this well-established, globally recognized security control specific to cloud services. It is based on achieving ISO/IEC 27001 certification and criteria specified in the Cloud Controls Matrix (CCM).

Certification also demonstrates that applicable cloud security issues have been assessed against the STAR Capability Maturity Model for managing activities in CCM control areas.

Together with an existing ISO/IEC 27001 certificate, CSA STAR certification provides evidence of an actively managed cloud security program.

CSA STAR’s benefits
  • Industry-recognized third-party certification based on the CSA requirements catalog
  • Create more confidence, reputation and business as customers ask for proof of cloud security measures
  • Provide top management with visibility to evaluate their management system relating to cloud security industry expectations and ISO/IEC 27001
  • Showcase how your organization aims to optimize cloud services
  • Demonstrate progress and performance through an independently validated award from an external certified body
  • Benchmark performance against your peers
In summary

These three certifications depend on an underlying ISO/IEC 27001 certificate. Selection of these schemes will be based on the organization’s specific needs. ISO/IEC 27001 is a starting point, as it is possible to get certification for all of them simultaneously.

Key InfoSec benefits
  • Protect critical data and assets, and reduce costs and losses
  • A competitive differentiator
  • Decrease the likelihood of incidents
  • Reduce negative impact if incidents occur
How we can help

SGS InfoSec solutions can improve your efficiency while guiding you towards compliance with internationally recognized standards.

Our certification schemes cover many areas, including data processing and protection, cloud storage, facility and lottery security, and responding to business-critical events.

A suite of security solutions

Our solutions include assessments and certifications to these standards:

  • ISO/IEC 20000, IT – service management
  • ISO 22301, business continuity management systems – requirements
  • ISO/IEC 27001, information security management systems
  • ISO/IEC 27017, code of practice for information security controls based on ISO/IEC 27002 for cloud services
  • ISO/IEC 27018, code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27701, extension to ISO/IEC 27001 & 27002 for privacy information management
  • World Lottery Association-Security Control Standard (WLA-SCS)


InfoSec training solutions

Our expert instructors provide consistent, effective and high-quality training to ensure that your employees have the latest skills to enhance your organization. Our training methods include public, in-house, eLearning, virtual and blended learning.

Training includes four key courses to support ISO/IEC 27001 – Introduction, Implementation, Internal Auditor and Lead Auditor – and Cybersecurity Maturity Model Certification (CMMC).



Your name

Your e-mail

Name receiver

E-mail address receiver

Your message




Sign up