• Inquiry
  • +81-3-6425-6735
    (Business hours 9:00 am - 6:00 pm)

ISO27017ISO27017 Certification


What is ISO27017/27018?

ISO27017 and ISO27018 are both certification standards related to cloud computing. In recent years, cloud services such as Salesforce, Kintone, Amazon Web Service (AWS), Dropbox, and Google Drive have become very familiar and easy to use. While these services can bring great value to the business if properly managed and operated, security risks must be rigorously understood and managed.

ISO 27017 and 27018 were formulated against this backdrop. Both of these standards are add-on certifications to ISO 27001 (ISMS), and when acquiring this certification, it is required to obtain ISO 27001 initially or to acquire it at the same time.

What is the difference between ISO 27017 and ISO 27018?

ISO 27017 and 27018 differ in the scope of the standards:
ISO 27017 expands the controls of ISO 27001 to cloud security and covers all businesses that operate and use cloud services.
ISO 27018, on the other hand, is a standard that is limited to personal information among cloud services and only applies to businesses that provide cloud services. When acquiring certification, it is necessary to determine which standard covers the customers’ company before proceeding with the certification process.

Flow of ISO 27017/18 Certification Activities

1. Review/determine the scope of certification.
  • Review and determine the scope of cloud security certification.
    (MASON can also refer to case studies of customers in the same industry.)
2. Cloud Security Assessment
  • MASON will review and determine the risk assessment and response plan for cloud service security.
  • MASON will perform a risk assessment of cloud-specific assets for ISO 27001 add-on standards.
3. Creation and review of various ISO documents.
  • Includes cloud security specific documentation to ISO 27001 documentation.
4. Employee training
  • MASON provides security training for employees involved in cloud computing through ZOOM meetings and group training sessions.
5. Internal Cloud Systems Audit
  • Conduct internal audits focusing on cloud computing systems.
6. Management review
  • MASON reports the results of ISO27001 & ISO27017 operation to the management.
7. External Cloud Systems Audit
  • Undergo first and second round audits conducted by an external audit organization.
8. Response to Audit Findings
  • After the audit, MASON will jointly implement measures to address any non-compliant items found in the audit.

Consulting Fees for ISO 27017/18 Certification

1. Standard plan

MASON creates the necessary documentation for the customer based on examples from other companies. MASON will work with the customers to obtain certification with the minimum man-hours required.

Service Fee Period
480,000 yen 3 months (minimum)

2. Full Outsource Plan

One year of reliable support after ISO27001 & ISO27017 certificate acquisition.
Recommended if the customer is anxious about maintenance audits after obtaining ISO certification and wants to establish ISO operations in-house.

Service Fee Period
780,000 yen Approx. 3 months (Obtaining certification)
12 months (Recurring Audit)

MASON provides services tailored to the customers' needs. Please contact us.

MASON Consulting, Co., Ltd.

10th Floor Shiba Daimon Center Bldg.,
1-10-11 Shiba Daimon, Minato-ku, Tokyo

Location Map

MASON has acquired ISO27001 certification.

MASON is committed to implementing security measures in accordance with the Guidelines for Information Security Measures for Small and Medium Enterprises.