Objectives and scope of the ISO 27017, ISO 27018 and ISO 27036 standards.

The ISO 27017, ISO 27018, and ISO 27036 standards are part of the ISO 27000 series of standards, which provide guidelines and best practices for information security management. These standards specifically address security issues related to cloud computing, privacy protection, and supply chain security, respectively.

The ISO 27017 standard, which was published in 2015, provides guidelines for information security controls in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27017 standard are to: 


  • Provide a common framework for evaluating and implementing information security controls in the cloud 
  • Help organizations to ensure that their cloud services are secure, and that sensitive data is protected 
  • Provide guidance on implementing the security controls specified in the ISO 27001 standard in a cloud environment 

 

The scope of the ISO 27017 standard includes the following: 

 

  • Information security controls applicable to cloud services 
  • The use of cloud services in an organization's information security management system (ISMS) 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

The ISO 27018 standard, which was published in 2014, provides guidelines for protecting personal data in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27018 standard are to: 

 

  • Provide guidance on protecting personal data in the cloud 
  • Help organizations to comply with privacy laws and regulations 
  • Provide a common framework for evaluating and implementing privacy controls in the cloud 

 

The scope of the ISO 27018 standard includes the following: 

 

  • Privacy controls applicable to cloud services 
  • The use of cloud services in an organization's privacy management system 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

The ISO 27036 standard, which was published in 2016, provides guidelines for securing the supply chain in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27036 standard are to: 

 

  • Provide a common framework for evaluating and implementing supply chain security controls in the cloud 
  • Help organizations to ensure that their cloud services are secure and that sensitive data is protected 
  • Provide guidance on implementing the security controls specified in the ISO 27001 standard in a supply chain context 

 

The scope of the ISO 27036 standard includes the following: 

 

  • Supply chain security controls applicable to cloud services 
  • The use of cloud services in an organization's supply chain security management system 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

In summary, the ISO 27017, ISO 27018, and ISO 27036 standards provide guidelines and best practices for information security management in the cloud. These standards address specific security issues related to cloud computing, privacy protection, and supply chain security, respectively. By implementing the controls specified in these standards, organizations can ensure that their cloud services are secure, and that sensitive data is protected. 

Share this article

Applying ISO/IEC 42001 in Finance: AI Risk Management and Compliance

Applying ISO/IEC 42001 in Finance: AI Risk Management and Compliance

17 May, 2024
Learn how to navigate AI integration in finance with confidence. Discover the importance of ISO/IEC 42001 in managing AI risks and ensuring compliance. Get actionable guidance on implementing the standard and promoting responsible AI practices in the financial industry.
ISO/IEC 42001 Certification: Unlocking Responsible AI Management

ISO/IEC 42001 Artificial Intelligence (AI) Certification - Navigating the Journey

14 May, 2024
Discover the importance of responsible AI management and how ISO/IEC 42001 certification can help. Learn about the benefits, challenges, and implementation strategies for trustworthy AI practices. Get ahead in the AI revolution with this comprehensive guide.
Why should SaaS companies comply with the ISO/IEC 27017 security standard for cloud service provider

Why should SaaS companies comply with the ISO/IEC 27017 security standard for cloud service providers (CSP)

By iFactum 04 Mar, 2023
In today's world, Software-as-a-Service (SaaS) has become a popular model for delivering software applications and services to customers over the internet. With the rise of SaaS companies, there has been a growing concern about data privacy and security. This is where the ISO 27017 standard comes in. In this article, we will discuss why a SaaS company should comply with the ISO 27017 standard.
Objectives and scope of the ISO 27017, ISO 27018 and ISO 27036 standards.

Why should SaaS companies comply with the ISO 27001 security standard and the CSA Cloud Control Matrix (CCM)

By iFactum 25 Feb, 2023
Why it is critical for SaaS companies to comply with the ISO 27001 security standard, as well as the cloud control matrix (CCM) provided by the Cloud Security Alliance ( CSA).
Share by: