ISMS Cloud Security Certification
What is ISMS Cloud Security Certification?
ISMS Cloud Security Certification is to certify organizations for appropriate implementation of the cloud specific controls (in ISO/IEC 27017) in addition to ISMS Certification (ISO/IEC 27001).
Organizations that have achieved ISMS certification are audited and certified for appropriate implementation of the cloud specific controls (in ISO/IEC 27017) to the cloud services that they provide or use within the scope of ISMS.
Businesses and public users can have trust in and use cloud services through the ISMS Cloud Security Certification.
The criteria for ISMS Cloud Security Certification
The criteria for ISMS Cloud Security certification is;
ISO/IEC 27017:2015 is a guideline that adds cloud service-specific information security controls and code of practice to ISO/IEC 27002:2013 and it is not a certification criteria (requirements).
The criteria (i.e. requirements) were needed to achieve certification based on ISO/IEC 27017 in addition to ISMS certification specifically for the use and provision of cloud services. “JIP-ISMS517-1.0 Requirements for ISMS Cloud Security Certification based on ISO/IEC 27017:2015” was developed as the criteria specific to ISMS Cloud Security Certification. As they are additional requirements (extension) to ISO/IEC 27001:2013, organizations that are to be certified for ISMS Cloud Security need to conform to ISO/IEC 27001:2013 as well as JIP-ISMS517-1.0.
Organizations eligible for ISMS Cloud Security Certification
Organizations that provide cloud services (cloud service provider), organizations that use cloud services (cloud service customer) or organizations that both provide and use cloud services can be certified for ISMS Cloud Security Certification (as shown below in the figures).
It does not matter what type of cloud service (e.g. IaaS, PaaS, SaaS) they provide or use.
Case A : An organization that provides cloud services (cloud service provider)
*Organization A can achieve ISMS Cloud Security Certification regardless of whether the external cloud service customer is certified against JIP-ISMS517-1.0.
Case B : An organization that uses cloud services (cloud service customer)
*Organization B can achieve ISMS Cloud Security Certification regardless of whether the external cloud service provider is certified against JIP-ISMS517-1.0.
Case C : An organization that provides and uses cloud services (cloud service provider & customer)
*When an organization uses cloud services operated by external organizations to provide its own cloud services, the organization can achieve ISMS cloud security certification by fulfilling the requirements for both cloud service providers and customers.
Example: A SaaS-type cloud service provider that uses IaaS operated by external organizations The organization needs to satisfy both the requirements for SaaS cloud service provider and those for cloud service customers as an IaaS user.