top of page
Frequently asked questions
ISO 27001 is the international standard (https://www.iso.org/isoiec-27001-information-security.html)for information security. It is a listing of requirements which would need to be in place to addiquetely manage your information security. These requirements are often referred to as "clause requirements." The standard also includes a listing of security controls (to be managed by the clause requirements) which are located within Annex A of the standard.
ISO/IEC 27017:2015 provides guidelines for information security controls within cloud environments. An organization cannot be certified to ISO 27017 alone. Once certified to ISO 27001, an organization can then add ISO 27017 to the scope of the ISMS and be assessed to the requirements thereof. Once through the assessment, it will be noted on the ISO 27001 certificate that the organization also adhers to the requirements of ISO 27017 for cloud security.
ISO/IEC 27018:2014 is an internaltional standards which provides guidelines for the protection of personally identifiable information (PII) within cloud environments. An organization cannot be certified to ISO 27018 alone. Once certified to ISO 27001, an organization can then add ISO 27018 to the scope of the ISMS and be assessed to the requirements thereof. Once through the assessment, it will be noted on the ISO 27001 certificate that the organization also adhers to the requirements of ISO 27018 for privacy.
ISO 27001 certification can be achieved through being independentely assessed by an approved certification body. Certification bodies get their approval to perform certification reviews through an accredidation body (such as ANSI in the Americas or UKAS in the UK). The certification process includes (typically) a stage 1 and stage 2 review.
An Accredidation Body is a group which provides an acredidation to a certification body (or CB) which allows the CB to perform ISO 27001 certification reviews. It is important to make sure the CB you are planning to use for ISO 27001 certification is accredited. In the US, ANSI accredidation is the norm for ISO 27001 certification.
The Certification Body is the third party company you would use to go through the ISO 27001 certification review process. It is important to make sure your CB is accredited before you start your engagement with them. In the US, ANSI accredidation is the norm for ISO 27001 certification. YCA is NOT a CB. YCA is an independent assessment and review company.
bottom of page