ISO 27017 27018

ISO 27017

Cloud customers are concerned about security - it remains a key reason why organizations hesitate to adopt cloud services despite the flexibility and scalability the cloud can offer. A key concern focuses around the ability of cloud service providers (CSPs) to treat customer data with sufficient care and attention.

The main elements of this are the worries that data could end up in the wrong hands and what control does a customer have over careless operators. But there are other concerns too: issues such as customer identity, segregation of assets on virtual servers and what happens to assets in the event of a CSP going out of business are also issues that play on potential cloud users' minds.

The ISO 27001 series addresses some of these concerns but a new standard, ISO/IEC 27017 Information technology - Security techniques, goes further and offers more peace of mind for potential cloud customers. Typical cloud standards and technical standards that address the cloud provider controls and guidance aimed at the cloud service provider.

It's not only the separation of responsibilities that the standard helps define: ISO/IEC 27017 also goes into much more detail about the type of security controls that service providers should be implementing - helping reduce the barriers to cloud adoption. ISO/IEC 27017 offers a way for cloud service providers to indicate the level of controls that have been implemented.

This means documented evidence - backed up by independent sources like certification to certain standards-show that appropriate policies have been implemented and, most importantly, what types of controls have been introduced. This information should be shared with the cloud customer before any contract is signed to help alleviate any potential issues in the future.

In cases where independent audits aren't practical or would pose a greater risk to information security , the standard does provide an option for CSPs to self-assess. When this is the case, the CSP must tell customers that they have self-assessed.

ISO 27018

The cloud offers organizations and consumers a variety of benefits: cost savings, flexibility and mobile access to information top the list. It also raises concerns about data protection and privacy; particularly around personally identifiable information (PII). PII includes any piece of information that can identify a specific user.

Whether you're new to ISO/IEC 27018 or looking to take your expertise further, we have the right approach to make you certified. We offer packages that can be customized to your business to get you started with information security management. An ISO/IEC 27018 package can be designed to remove the complexity of getting you where you want to be - whatever your starting point.

  • Inspires trust in your business - provides greater reassurance to your customers and stakeholders that personal data and information is protected.
  • Competitive advantage - stand out from your competitors by protecting personal information to the highest level.
  • Protects your brand protection - reduces the risk of adverse publicity due to data breaches.
  • Reduces risks - ensures that risks are identified and controls are in place to manage or reduce them.
  • Protects against fines - ensures that local regulations are complied with, reducing the risk of fines for data breaches.
  • Helps grow your business - provides common guidelines across different countries, making it easier to do business globally and gain access as a preferred supplier


It provides clarity regarding who is responsible for what between the cloud service provider and the cloud customer

Read more


It provides clarity regarding who is responsible for what between the cloud service provider and the cloud customer

Read more


Inspires trust on the business as customers have greater reassurance to customers and stakeholders

Read more


To whom does ISO/IEC 27018 apply?
This code of practice applies to CSPs that process PII under contract for other organizations.

Read more


Read more

What Our Customers Say?

Valency Networks is a very techie company, focusing on a continuous improvement in service quality. Our customers like us exactly for that and that helps us keep our quality to the best extent.