03-9450630
Home > יישום והטמעת תקנים > ISO 27017

ISO 27017 | Cloud security

To learn more about our services, leave your contact information here, and we will get back to you, or call 03-9450630.

What is ISO 27017?

ISO 27017 lists specific security and risk management guidelines for cloud services.

This international standard expands on ISO 27001 and is based on ISO 27002. It defines the responsibilities of cloud service providers and cloud users to make cloud services safer.

We offer you a simple way to meet the standard’s requirements and get certified. Our consultants have a wealth

of experience in information security certification.

Our CISO-certified information security experts will adapt the certification process to your organization’s needs while ensuring full compliance with the standard.

With our CISO as a service offering, you can get a unique solution tailored to your needs, resources, and field of business.

 

What are the benefits of getting certified?

  • This means your data will be better organized in the cloud, and information will be easier to find.
  • It helps you meet tender requirements and gives you an edge over competitors, as some clients have stricter security requirements.
  • Helps protect your business physically and logically.
  • It helps prevent unauthorized access and security breaches, thus minimizing damage from data loss.
  • It enables you to detect and manage risks and lowers your exposure to online fraud.
  • It speeds up your recovery from security incidents and improves your business continuity.
  • Raises your employees’ awareness of information security and privacy concerns.

 

Who has to comply with ISO 27017?

This standard is designed for:

  1. Cloud end-users: individuals who purchase and use cloud services.
  2. Cloud service providers: anyone who provides cloud services to end-users.

 

What are the responsibilities of a cloud user?

Cloud services allow organizations to store and process sensitive data and run sensitive systems in the cloud.

This makes the client highly dependent on the service. It also means cloud services must be highly secure to minimize the risk of data leaks and security breaches.

Before commencing work with a cloud service provider, a client has to ask the service provider for evidence that their service is as secure as they claim.

Before agreeing to work with a cloud service provider, always make sure that:

  1. The cloud service is suitable for the ways you want to store and use sensitive information. The cloud service provider’s information security policy is on par with yours and sufficient for your needs.

An information security policy needs to include the following:

    • Identity authentication and access controls.
    • Roles and responsibilities regarding information security—the cloud service provider must show detailed client documentation before being allowed access to sensitive information stored in the cloud. The responsibilities include information security incident management, regular backups, internal review and auditing processes, etc.
    • Cloud service providers working with multiple clients who store sensitive information must have parallel processes for different clients.
    • The cloud service provider has to disclose the cloud’s location to the client. Data transfers have regulatory implications if the cloud is in the EU but the backup is outside the EU or if the client is based outside the EU.
    • Data must remain protected if the client terminates the relationship with the service provider.

2. Once you choose the right cloud service provider, list all the assets in the cloud.

    • You must also list everyone who has access to the cloud service, document their actions in the cloud, and ensure they attend comprehensive information security training about cloud use procedures and risk detection and management.
    • Set up access control policies for all cloud services. Use a strong authentication method and prepare specific procedures for what happens if data is lost after critical actions.
    • Suppose an employee in a position of authority stops working for your company. In that case, you must ask the cloud service provider to revoke this user’s access to the cloud and present you with relevant documentation.

 

What are the responsibilities of a cloud service provider?

  1. The cloud service provider must inform their client of their information security policy and how it applies to the specific cloud services provided to the client.

The policy must include the following:

  • Identity authentication and access controls.
  • Information security requirements.
  • Direct user access risk management, including server and service isolation for clients and service types.
  • Communication with the clients regarding changes to the service, especially changes that occur during a security breach.
  1. The cloud service provider must train the company’s employees on information security topics. The training must include procedures for using the cloud and identifying risks.
  • The cloud service provider must disclose their services’ physical location to the client.
  • The service provider must also document the roles and responsibilities of information security and use a strong authentication method.
  • Upon termination of the business relations between the client and the service provider, the service provider must provide the client with documentation regarding deleting the client’s data from the cloud.
  • Suppose the service provider uses the services of another cloud service provider. In that case, it is the first service provider’s responsibility to ensure the third-party provider’s security level meets the client’s requirements.

 

Support from the best experts in the field:

We will give you access to an experienced expert consultant to get you certified. Hermeticon employs experts who specialize in information security and regulatory compliance.

Our comprehensive and efficient service will make the certification process quick and easy.

 

At the end of the process, you will receive the following:

  • Emergency security procedures are tailored to your organization’s needs.
  • A comprehensive risk survey
  • A clear and structured mechanism for managing information security in your organization

You can rest easy knowing we are at your service. Take your first step toward getting fully certified today.

At the end of the process, you will also receive:

  • A comprehensive information security risk survey
  • A clear and structured mechanism for managing information security in your organization
  • A business continuity plan

360° Cybersecurity & information security support

We provide technological solutions informed by legal expertise, combined with a deep understanding of organizational change and security awareness training.

Cybersecurity and information security solutions

We can identify and provide the right tech solutions for your organization.

Support from our resilience testing division

Our resilience testing experts have a wealth of experience and are well-versed in the most advanced security systems on the market.

A bespoke service scaled to match your needs

Over the years, we have gained a lot of experience. By taking a bird's-eye view of your business, we can identify your existing security weaknesses and provide your company's management with valuable insights.
טופס תחתון

Our information security experts are here for you.

Fill in your information or contact us and we'll be happy to be at your service!

  • Phone

    03-9450630

  • Mordehai Rojanski 18
    Rishon LeTsiyon

  • Sun - Thu
    08:00-17:00