ISO 27017 (Cloud Security)

As proof of the security of cloud services

ISO / IEC 27017 is an international standard for securing cloud services. This standard defines specific recommendations for providers of cloud services. The standard belongs to the ISO / IEC 27001 family of standards, the requirements of ISO / IEC 27017 have been specially tailored for providers of cloud services. For each area of ​​the higher-level ISO / IEC 27001 standard, possible special features of cloud security are explicitly set out. This methodology enables you to identify these security requirements more quickly and integrate them into your security management system.

ISO / IEC 27017 emphasizes the importance of communication between companies of all types and their customers in order to develop suitable security management processes. In addition, ISO / IEC 27017 specifies the relationship between customers and cloud providers. It describes 

exactly what customers can expect from their provider and what information providers should keep ready for customers. ISO / IEC 27017 not only affects the providers of cloud services themselves, but also the security of the cloud as a whole. If the standard is adhered to, both sides can assume that all important points relating to safety are also taken into account in the respective service.

The standard can help cloud providers to identify important security aspects in order to decide on a suitable partner. IT decision-makers want more flexibility and want to be able to select the optimal provider for every application. The provision of IT services is developing from a chain to a network. The commercial and technical relationships multiply and that in turn leads to a whole new level of complexity. The ISO / IEC 27017 standardizes the relationships between customers and cloud service providers through an analysis grid and the targeted exchange of information, thus making it easier to manage the business relationship.

How it works

Your company is certified on the basis of ISO / IEC 27001 in implementation of ISO / IEC 27017. You will receive a corresponding certificate of conformity.

Certifications Process

The process starts with the client’s needs and expectations. DQS wants to learn about the client’s organization, its management system, size and types of operation. Together both parties will define objectives for the assessment and/or certification, including applicable standards and specifications.

DQS will provide a detailed offer for assessment and certification services, tailored to individual client needs, based on the information provided initially. A written contract will specify all relevant deliverables as well as applicable assessment and certification criteria.

A pre-audit can serve as initial performance or gap analysis, identifying strengths and areas for improvement. For larger assessment and certification projects a project planning meeting provides a valuable opportunity for the client to meet the lead assessor and develop a customized assessment plan for all functions and locations involved. Both services are optional.

The assessment procedure itself begins with review and evaluation of system documentation, goals, results of management review and internal audits. During this process, it will be determined whether the client’s management system is sufficiently developed and ready for certification. The assessor will explain findings and coordinate any required activities to prepare for the on-site system assessment.

The assigned auditor team will audit the client’s management system at the place of production or service delivery. Applying defined management system standards and specifications, the assessment team will evaluate the effectiveness of all functional areas as well as all management system processes, based upon observations, inspections, interviews, review of pertinent records, and other assessment techniques. The audit result, including all findings will be presented to the client during the closing meeting. Required action plans will be agreed upon as necessary.

The independent certification function of DQS will evaluate the audit process and its results, and decide independently about issuance of the certificate. The client receives an audit report, documenting the audit results. When all applicable requirements are fulfilled the client also receives the certificate.

Either semi-annually or at least once per year, there will be an on-site audit of the critical components of the management system. Improvement potential will be identified, with a focus on continual improvement and sustained effectiveness.

A management system certificate is valid for a limited period of time, frequently for a maximum of three years. At the end of this cycle, a re-audit will be carried out to ensure the ongoing fulfillment of all applicable requirements. Subject to this fulfillment, a new certificate will be issued.

Why DQS?

DQS is one of the leading Management System Certification, Audits, Assessment & Training organization globally. 


Truly Global Brand


Expert Auditors with High Emotional Intelligence


Local Capabilities & Delivery


Industry Leaders


Customized, Comprehensive & Actionable Insights


Pioneering Innovative Solutions


Passion for Quality & Excellence


Integrity & Trust

Want to Know more?

Ph: (080) 6661-6565 | +91 924 320 3043 | E: