Certification Description

■ ISO27017 cloud service information security management system certification

the rapid growth of the global cloud service market, the popularity of cloud service applications at the individual and enterprise organization level is fast, and there is a large market prospect for cloud service applications in government and public facilities scenarios. While cloud technology drives the rapid growth of the market, the information security and data security risks arising from the characteristics of cloud services are increasingly concerned by the society and regulatory authorities. Whether IaaS, PaaS or SaaS, the compliance and trustworthiness of cloud services have become key considerations for customers.

ISO 27017 provides an international practice guide for public cloud service providers on information security control based on ISO27001 and ISO27002. It provides additional terms and specific requirements for information security control based on cloud service characteristics for cloud service providers and cloud service customers, and focuses on the roles and responsibilities of cloud service providers and cloud service customers in ensuring the security and reliability of cloud services.

■ As a professional certification body in the domestic IT field, ZOHOCERT provide you with one-stop, comprehensive privacy information management and improvement services.

the ISO27017 management system certification
The ISO27017 special assessment and gap analysis.
Interpretation of ISO27017 Standards Training
ISO27017 internal auditor training

■ ISO 27017 certification process

1. Pre-assessment (optional)
2. Submit an application for certification
3. Sign the certification contract
4. Certification site audit
5. Issue certificates
6. Annual supervision and audit

■ Benefits of ISO 27017 Certification

to keep your information and data safe during cloud services
The compliance of your cloud services business
Deliver your better trust to your customers and partners
Many give you a greater opportunity to get more orders business and customers
Improve your credibility and business image, making you more competitive in cloud services

■ Certification standards

ISO/IEC 27017:2015 Information technology security techniques-Practical rules for information security control of cloud services based on ISO/IEC 27002

■ Characteristics and value of ZOHOCERT

Is a professional service organization that has been deeply involved in the IT information industry for many years.

Has a number of senior academic management experts with more than 20 years of practical experience.

Scope of Certification

Certification:ISO/IEC 27017 for organizations that are cloud service customers and cloud service providers

Certification Scheme

1 Scope of application

This certification scheme is applicable to Shanghai Zhonghao Certification Co., Ltd. (hereinafter referred to as: ZOHO) to implement the information field management system certification, to meet the requirements of the third-party certification system, as a standard for providing certification services. If necessary, the relevant technical requirements shall be supplemented in the certification contract.

The information field management system certification catalogue and certification basis standards applicable to this certification scheme are shown in Annex 1. This certification scheme does not apply to information technology service management system certification and information security management system certification, information technology service management system and information security management system certification scheme see "information technology service management system and information security management system certification implementation plan".

This certification scheme shall be confirmed and adopted when the two parties sign the contract.

2 Authentication Mode

ZOHO first audit the auditee's management system for the first time, after assessment, to confirm whether the certification is approved; after certification, in the validity period of the certification certificate of the certified customer's management system to monitor, to confirm whether continue to meet the certification requirements.

3 Certification Process Flow Chart

4 Basic Conditions for Certification Applications

a. Certified customers have clear legal status. Customers have business licenses, corporate certificates of public institutions, registration certificates of social organizations, registration certificates of non-corporate legal persons, establishment documents of party and government agencies, etc., and can apply for certification independently; other types of customers, Should be applied on behalf of qualified units;

b. When required by the state, local or industry, the certification customer has the prescribed administrative accreditation documents, and the scope of application for certification shall be within the scope approved by the legal status documents and administrative accreditation documents;

c. Certified customers have established a documented management system according to the corresponding management system standards, and have been running steadily for at least 3 months before the initial certification on-site audit, and promise to continue to operate the management system effectively within the validity period of the certificate;

d. Certification customers promise to comply with the laws, regulations and other requirements of the country, promise to always comply with the relevant provisions of certification, bear the legal responsibilities related to certification, and have the obligation to assist the supervision and inspection of certification regulatory authorities, and provide relevant materials and information truthfully for inquiries and investigations of relevant matters;

e. The certified customer has not been ordered by the law enforcement and supervision department to suspend business for rectification, or has been included in the "list of serious illegal enterprises" in the national enterprise credit information publicity system, or has violated relevant national laws and regulations, falsely reported or concealed the information required for certification;

f. The certification customer shall explain to ZOHO the requirements for the qualification of the certification body or the background of the certification personnel, as well as the applicable laws and regulations related to the protection of state secrets or the maintenance of national security, and explain whether there are any management system documents or records that cannot be provided to the audit team for verification because they contain confidential or sensitive information.

g. The certification customer submits the application materials to ZOHO in accordance with the requirements of the Application for Certification of Zhonghao Logo Management System and the corresponding annex;

h. Certification Customers promise to use certification certificates, certification marks and related information according to regulations after obtaining ZOHO certification, and shall not mislead the public into thinking that their products or services have passed the certification by using the words and symbols of the management system certification certificate without authorization. Pay the certification fee according to the contract and accept the supervision according to the regulations;

I. The certified customer promises to inform ZOHO of the information on the changes of the management system and other matters that may affect the ability of the management system to continuously meet the requirements of the certification standards according to ZOHO requirements after obtaining the certification, generally including: the major complaints from the customer and relevant parties; The products and services provided are listed in the "blacklist" by the law enforcement and supervision departments; Major accidents related to the management system occur; Changes in relevant circumstances (including: legal status, production and operation status, change of organization or ownership, change of qualification certificate; change of legal representative, top management and management representative; change of service workplace; change of scope of activities covered by management system; major change of management system and important process, etc.); other important situations affecting the operation of management system;

j. During the certification audit, the certification customer is able to provide products/services/activities related to the scope of the proposed certification.

5 Audit Implementation

5.1 Audit Guidelines

certification parties is as follows:

a. Certification basis standards (see Annex 1);

B. Audit criteria also include procedures, standards, laws and regulations, codes of practice, contractual requirements or industry norms applicable to the audited party.

5.2 audit process

5.2.1 Initial certification audit

Usually, the initial certification audit is implemented in two stages: the first stage and the second stage.

5.2.1.1 First stage audit

audit team, in combination with the professional characteristics of the auditees' management system coverage activities, confirms the auditees' understanding of the standard and the degree of implementation, the key points that have an important impact on the realization of the goal, the compliance of relevant laws and regulations and the scope of the management system according to the management system documents, system operation process, operation place and site conditions provided by the auditees, review whether the allocation of resources required for the second-stage audit and the degree of implementation of the management system can prove that it is ready for the second-stage audit, and agree with the applicant on the details of the second-stage audit to determine the second-stage audit arrangements.

the results of the Phase 1 audit may result in the postponement or cancellation of the Phase 2 audit.

5.2.1.2 Phase II Audit

audit team shall conduct on-site evaluation of the implementation of the auditees' management system, including compliance and effectiveness. The second phase of the audit includes at least the following aspects:

a. Compliance with all requirements of applicable management system standards and other regulatory documents;

B. Monitoring, measurement, reporting and review of performance based on key performance objectives and indicators;

c. aspects of the management system and performance relating to compliance with the law;

d. Operational control of the auditees' processes;

e. Implementation of management responsibilities, including policy-specific management responsibilities;

f. Planning and achievement of functional level objectives established to achieve the overall objectives;

g. Linkages between normative requirements, policies, performance objectives and targets, applicable legal requirements, responsibilities, personnel capabilities, operations, procedures, performance data and internal audit findings and conclusions.

5.2.2 Monitoring activities

5.2.2.1 Manner of oversight activities

ZOHO adopts a combination of on-site supervision and audit and daily supervision (such as paying attention to the quality information bulletin issued by relevant national departments, paying attention to the information of relevant parties of certified customers, daily tracking of relevant information of certified customers, reviewing certified customers and their operation instructions, and requiring certified customers to provide documents and records, etc.).

5.2.2.2 Contents of post-certification supervision and audit

a. System maintenance and any changes (e. g. resources, processes, organizational structure, identified critical control points, etc.);

B. Customer complaints;

c. the scope of the change;

d. Effectiveness of management system implementation;

e. Progress of activities planned for continuous improvement;

f. Measures and effects taken in response to non-conformances identified in the previous audit;

g. the use of certificates and marks and/or any other reference to qualification;

h. Other selected ranges as appropriate.

Certified customers should keep all complaint records and provide them to ZOHO when required. Based on the above information, ZOHO will re-evaluate the certified customer management system to confirm whether it continuously meets the certification requirements. For the certified organizations that have passed the supervision and audit, the decision to maintain their certification qualifications will be made; otherwise, the suspension or revocation of certification disposal will be made.

supervision audit, if the certification customer does not close the non-conformity as required, it may lead to the suspension of the certification certificate.

5.2.2.3 Frequency of supervision and audit

During the validity period of the certificate, the certified customer shall be subject to a supervisory audit. The first supervisory audit after the initial certification and recertification shall be carried out within 12 months from the date of the certification decision, and the subsequent supervisory audit shall be carried out at least once every calendar year (except the year in which recertification shall be carried out) and the maximum time interval from the previous supervisory audit shall not exceed 15 months.

If the certification certificate is suspended due to the failure of the certified customer to carry out the supervision audit within the specified time, after the resumption of the supervision audit, the next audit time shall be calculated according to the originally planned time.

shall increase the frequency of supervision or arrange the audit with short notice in advance:

a. The certified customer has made major changes to the management system or has major problems;

B. There is sufficient information to show that the certified customer has changed the organization, management system and other changes that affect the certification basis;

c. Certified customers have major accidents related to the management system;

d. Other considerations.

5.2.3 Re-certification

Certified customers must apply for recertification at least three months before the expiration of the certificate. The purpose of the recertification audit is to verify the overall continuing conformity and effectiveness of the organization's management system as a whole, and the continuing relevance and suitability of the scope of certification.

will arrange special audit or arrange recertification audit with certified customers in advance when it is found that the certified customers have significant changes that seriously affect the operation of the management system, or when the complaint analysis and other information of certified customers show that certified customers no longer meet the certification requirements. The recertification audit also needs to focus on the performance of the management system during the certification cycle, including access to previous supervisory audit reports.

For multi-site or combined audit certification, the recertification audit should ensure that the on-site audit has sufficient coverage to provide confidence in the management system certification.

a phase audit may not normally be conducted during recertification, a phase one audit may be required when there are significant changes in the certified client's management system and the certified client's internal and external operating environment. During the re-certification audit, the certification customer shall accept the ZOHO audit before the expiration of the current certification certificate, and close the non-conformity issued by the audit team within the specified time. Otherwise, if ZOHO cannot make a certification decision within 6 months after the expiration of the original certification certificate due to the certification customer, the re-certification audit will be invalid. 5.2.4 Special Audit

5.2.4.1 Audit to expand the scope of certification

For certified customers, ZOHO reviews the application to expand the scope of certification and determines the audit activities required for the decision to expand, which can be carried out at the same time as the supervisory audit.

5.2.4.2 Review with short notice

audits that require short notice to certified customers in order to investigate complaints, respond to changes, or follow up on suspended certified customers.

1. Explain to the certified customer and make them aware in advance of the conditions under which such audits will be carried out;

2. Assign experienced auditors to form an audit team.

5.3

audit team shall communicate with the audited party before the on-site audit to confirm the audit arrangement and explain the agenda of the first and last meetings. The audit team shall carry out the audit according to the schedule in the audit plan, collect and verify the relevant information on a sample basis through appropriate methods such as consulting the documents and records of the audited party, interviewing with the post personnel of the process and activities, and observing the service formation process and activities. If necessary, the audit team shall conduct technical tests to form audit findings and confirm the audit situation.

During the audit process, the audit team communicates with the audited party in a timely manner, informs the audit process, confirms the audit evidence, and resolves differences. When the audit findings indicate that the purpose of the audit cannot be achieved, the reasons shall be explained and follow-up measures shall be agreed. If it is necessary to change the purpose and scope of the audit or terminate the audit, it shall be implemented after review and approval by the audit dispatching agency.

audit team leader shall communicate the information of the on-site audit with the audited party, ask the audited party to confirm the problems found and the non-conformance report, and agree on the arrangement of follow-up measures for non-conformance and confirm the audit conclusion. The audit team shall prepare the audit report and submit it to the audited party.

the audit report belongs to ZOHO, if there is any change in the audit follow-up activities (including ZOHO's certification decision period), ZOHO will provide the audit report to the auditee again. The audited party shall properly keep the audit report, non-conformity report and its correction materials and other corresponding materials.

Certification Fees

Certificate Sample

Certification Mark