Objectives and scope of the ISO 27017, ISO 27018 and ISO 27036 standards.

The ISO 27017, ISO 27018, and ISO 27036 standards are part of the ISO 27000 series of standards, which provide guidelines and best practices for information security management. These standards specifically address security issues related to cloud computing, privacy protection, and supply chain security, respectively.

The ISO 27017 standard, which was published in 2015, provides guidelines for information security controls in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27017 standard are to: 


  • Provide a common framework for evaluating and implementing information security controls in the cloud 
  • Help organizations to ensure that their cloud services are secure, and that sensitive data is protected 
  • Provide guidance on implementing the security controls specified in the ISO 27001 standard in a cloud environment 

 

The scope of the ISO 27017 standard includes the following: 

 

  • Information security controls applicable to cloud services 
  • The use of cloud services in an organization's information security management system (ISMS) 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

The ISO 27018 standard, which was published in 2014, provides guidelines for protecting personal data in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27018 standard are to: 

 

  • Provide guidance on protecting personal data in the cloud 
  • Help organizations to comply with privacy laws and regulations 
  • Provide a common framework for evaluating and implementing privacy controls in the cloud 

 

The scope of the ISO 27018 standard includes the following: 

 

  • Privacy controls applicable to cloud services 
  • The use of cloud services in an organization's privacy management system 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

The ISO 27036 standard, which was published in 2016, provides guidelines for securing the supply chain in the cloud. The standard applies to organizations that provide cloud services, as well as organizations that use cloud services. The objectives of the ISO 27036 standard are to: 

 

  • Provide a common framework for evaluating and implementing supply chain security controls in the cloud 
  • Help organizations to ensure that their cloud services are secure and that sensitive data is protected 
  • Provide guidance on implementing the security controls specified in the ISO 27001 standard in a supply chain context 

 

The scope of the ISO 27036 standard includes the following: 

 

  • Supply chain security controls applicable to cloud services 
  • The use of cloud services in an organization's supply chain security management system 
  • The roles and responsibilities of organizations that provide cloud services and organizations that use cloud services 

 

In summary, the ISO 27017, ISO 27018, and ISO 27036 standards provide guidelines and best practices for information security management in the cloud. These standards address specific security issues related to cloud computing, privacy protection, and supply chain security, respectively. By implementing the controls specified in these standards, organizations can ensure that their cloud services are secure, and that sensitive data is protected. 

Share this article

Best Practices for DORA Compliance

February 18, 2025
Building a resilient organization isn’t just about meeting regulatory standards—it’s about staying ahead of threats. Our latest blog dives into the best practices for achieving compliance with the Digital Operational Resilience Act (DORA). From strengthening incident response teams to improving third-party oversight, learn actionable strategies to secure your financial operations and maintain business continuity. Explore how regular assessments, advanced technology, and continuous testing can transform your cybersecurity approach

The Complete Guide to Understanding DORA and Achieving Compliance

February 18, 2025
New to DORA compliance? Our comprehensive guide breaks down everything you need to know about the Digital Operational Resilience Act (DORA). Learn how this vital EU regulation strengthens cybersecurity in the financial sector, who it applies to, and how to meet its requirements. From risk management to incident response and third-party oversight, this guide equips you with tools to build a resilient, compliant organization.

What you need to know about becoming a network security analyst

December 5, 2024
What does it take to succeed as a network security analyst? In this blog we go through some of the most important things you’ll need to know to succeed.
What you need to know about becoming a cybersecurity consultant

What you need to know about becoming a cybersecurity consultant

November 27, 2024
Discover what it takes to excel as a cybersecurity consultant. This blog explores essential skills, from understanding key cybersecurity frameworks like NIST and ISO 27001 to mastering risk assessment, regulatory compliance, and incident response. Whether you're just starting or looking to deepen your expertise, learn how to build resilient defenses against evolving cyber threats. Start your journey to becoming an expert cybersecurity consultant today!

What you need to know to become a chief information security officer (CISO)

November 15, 2024
Chief Information Security Officers (CISO) play a pivotal role in safeguarding an organization's digital assets. As the top executive responsible for information security, the CISO must navigate complex threats and align security strategies with business goals. But what does it take to succeed as a CISO? Let’s explore the key skills and responsibilities that define this crucial leadership role. 
What you need to know about managerial roles within cybersecurity

What you need to know about managerial roles within cybersecurity

November 1, 2024
Explore the essential managerial roles in cybersecurity that drive data protection and regulatory compliance. From policy development and risk management to security training and vendor oversight, non-technical cybersecurity roles are critical to organizational resilience. Discover the skills and certifications needed to excel in these high-demand positions and support a robust cybersecurity framework

What you need to know about becoming a penetration tester in 2024

October 8, 2024
Discover the essential skills and tools needed to become a successful penetration tester in 2024. Learn about networking, operating systems, programming, web security, and specialized tools. Explore key certifications like CEH, OSCP, and GPEN to kickstart your career in ethical hacking and cybersecurity.

Job satisfaction and challenges in cybersecurity

September 30, 2024
Explore the rewards and challenges of a cybersecurity career in 2024. Discover key factors driving job satisfaction, strategies for work-life balance, and how to navigate the emotional toll of cyber breaches. Learn how emerging trends are shaping the field and impacting professionals.
The power of soft skills in cybersecurity

The power of soft skills in cybersecurity

September 24, 2024
In today’s cybersecurity landscape, mastering soft skills like communication, problem-solving, crisis management, and adaptability is just as crucial as technical expertise. Learn why these non-technical skills are essential for cybersecurity professionals to navigate complex challenges, enhance teamwork, and protect digital environments from evolving threats.
Navigating a Career Transition and Development in Cybersecurity

Navigating a career transition and development in cybersecurity

September 17, 2024
Learn how to successfully transition into a cybersecurity career with practical tips on building foundational knowledge, gaining hands-on experience, and certifications.
More Posts
Share by: