ISO 27018 Certification

You can apply for an audit of your ISMS according to the current standard ISO 27001:2022 in combination with ISO 27018. Our audit teams audit locally in most jurisdictions around the world. The information security auditors inspect your Information Security Management System (ISMS) and the associated Cloud Security Management System (CSMS) in over 7 different languages. Apply now for an extended ISO 27001 Certification (including ISO 27018 audit)! Is your main business location is in USA, Europe, Africa or Asia? Certification audits are possible in many regions.

Who needs an ISO 27018 Certificate?

If you offer cloud services or if cloud services are an essential part of your products or services, you should establish a CSMS within your company. ISO 27018 can only be purchased as a supplement to ISO 27001 certification. ISO 270018 is not intended as a standalone ISO certification.

Secure your Certification slot by requesting a quote

ISO 27001 Certification Areas

Within the ISO 27000 Standard is the main core standard 27001, which is the required certification for any kind of Addon (e.g., ISO 27018, ISO 27701, ISO 27090, ISO 27091). If your organization has never been through an audit and you have just recently introduced your ISMS, then focus on ISO 27001 Certification. Once your ISMS has a substantial maturity, you can go for expanding your ISO 27001 certificate with special certifications (e.g. ISO 27018 for Cloud Service Provider).

ISO 27001
Information Security

ISMS: Implement a management system to protect the data in your company with a certified information security management system

Learn more about ISO 27001
ISO 27018
Cloud Security

CSMS: Information security in the cloud is a very important issue. This niche is exposed to unique threats and has experienced scandals.

Learn more about ISO 27018
ISO 27701
PI Security Management

PIMS: Protecting your clients data from being misused is so important for social media and eCommerce platforms.

Learn more about ISO 27701
Secure your Certification slot by requesting a quote

What is ISO 27018?

The international Standards Organisation (short: ISO) introduced the ISO 27018 standard in order to help organisations protect information being processed in the cloud by the human and technical resources of such organisation. Auditors will want to make sure, that a cloud security management System (CSMS) has been truly set up and is operating in a congruent manner.

A CSMS is there to help leadership ensure the protection of information being processed in the cloud.

The ISO 27018 standard has following structure:

  1. Introduction – the standard describes a process for systematically managing information risks.
  2. Scope – it specifies generic CSMS requirements suitable for organisations of any type, size or nature.
  3. Normative references – only ISO/IEC 27000 is considered absolutely essential reading for users of ISO 27018.
  4. Terms and definitions – see ISO/IEC 27000.
  5. Context of the organisation – understanding the organisational context, the needs and expectations of ‘interested parties’ and defining the scope of the CSMS. Section 4.4 states very plainly that “The organisation shall establish, implement, maintain and continually improve” the CSMS, meaning that it must be operational, not merely designed and documented.
  6. Leadership – top management must demonstrate leadership and commitment to the CSMS, mandate policy, and assign information security roles, responsibilities and authorities.
  7. Planning – outlines the process to identify, analyse and plan to treat information risks, to clarify the objectives of information security, and to manage CSMS changes.
  8. Support – adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled.
  9. Operation – more detail about assessing and treating information risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
  10. Performance evaluation – monitor, measure, analyse and evaluate/audit/review the information security controls, processes and management system, systematically improving things where necessary.
  11. Improvement – address the findings of audits and reviews (e.g. nonconformities and corrective actions), systematically refining the ISMS.
Secure your Certification slot by requesting a quote

Why can an ISO 27018 certification be beneficial to you?

When an organisation decides to become ISO 27018 certified, they undergo a journey towards building their CSMS documentation and preparing all people inside the business for applying the new security measures. Thereby, the organisational processes achieve a greater maturity. Once the certification audit is successfully completed, the ISO 27018 certificate will show to outsiders following positive aspects:

  • Greater information security
  • Regular security improvements
  • Greater trustworthiness
  • Greater reliability
  • Lower risk to client assets and IP

Furthermore, an organisation also experiences following inner improvements:

  • Information flow inside company is secure and efficient
  • Information is available and reliable at all times
  • Loss, theft, misuse, manipulation of data is less likely
  • Only authorised persons have access to confidential data
  • Greater compliance with laws, regulations and contractual obligations
Secure your Certification slot by requesting a quote

What is required for ISO 27018 certification?

The ISO 27018 standard requires following 14 items to be compliant within the CSMS documentation in order to issue a certificate:

  1. CSMS scope (as per clause 4.3)
  2. Information security policy (clause 5.2)
  3. Information risk assessment process (clause 6.1.2)
  4. Information risk treatment process and the Statement of Applicability (clause 6.1.3)
  5. Information security objectives (clause 6.2)
  6. Evidence of the competence of the people working in information security (clause 7.2)
  7. Other CSMS-related documents deemed necessary by the organisation (clause 7.5.1b)
  8. Operational planning and control documents (clause 8.1)
  9. The risk assessment outputs i.e. the assessed risks (clause 8.2)
  10. The risk treatment decisions (clause 8.3)
  11. Evidence of the monitoring and measurement of information security (clause 9.1)
  12. The CSMS internal audit program and the results of audits conducted (clause 9.2).
  13. Evidence of management reviews of the CSMS (clause 9.3)
  14. Evidence of nonconformities identified and corrective actions arising (clause 10.1)

How will the audit plan be influenced by the statement of applicability?

Our audit teams follow an audit plan which takes your organisation’s specific industry sector and business model into consideration. The compliance of your ISMS will be reviewed in relation to the different chapters and parts of Annex A. In order to conduct  a proper audit, it is necessary for the audit client to name staff members, who can answer questions in relation to parts of the audit plan. Such an example would be naming the firewall administrator for the security controls related to access controls. During the audit  the lead audit will then request the privacy information security officer of the organisation to arrange with the firewall admin to be available for the session regarding access control.

An organisation must review regularly its statement of applicability (SoA), in order to decide which controls are necessary. Auditors will will review the SoA and question in particular controls that have been stated as not applicable. The controls marked as applicable will also be inspected but in a different way.

Secure your Certification slot by requesting a quote

How much will the audit and ISO 27018 certification cost?

The cost of an ISO 27018 certification process is dependent on the size and risk profile of the organization. The ISO 27006 Standard provides an average number of audit days for an organisation of average risk and certain number of included staff. Our audit estimators evaluate the to be expected audit time in relation to company specific parameters. Some factors allow for a reduction of audit duration and thereby positively reducing the audit costs.

Where risks require additional depth of audit activities, the audit plan will have to allocate extra time for it. This increases the audit time and the audit related costs. In addition if auditors have to travel to the client’s operational locations, the client organisation will incur additional travel expenses. The ISO standard allows for up to 30% of the audit to be conducted as remote audit. If the company structure (home office) or the situation (e.g. pandemic) required a 100% remote audit, the certification body is required to gain consent from the respective accreditation body. Remote audits avoid travel costs and are usually ideal for “virtual organizations” (e.g. 100% home office based teams).

Number of persons doing work under the organization’s control CSMS audit time for initial audit (auditor days)
1~10 0.5
11~15 1
16~25 1.5
26~45 2,0
46~65 2.5

Above table is based on the ISO 27006 Standard document (Table B1), displaying additional time for CSMS audit during a combinded ISO 27001 audit.

The audit time allocated for CSMS inspection is at least:

  • 30% of the audit time as Cloud Provider
  • 30% of the audit time as Cloud User
  • 50% of the audit time, if the organisation is a Cloud Provider and Cloud User

The  ISO 27018 audit (stage 1 + Stage 2) must then be at least 2.5 days for Cloud Provider and 3 days for Cloud User. If an organisation is acting on both roles then the audit duration should not be less than the recommended 3.5 days.

This requirement is because an ISO 27018 audit will have to be conducted together with the ISO 27001 audit.

If the organisation already has an ISO 27001 certificate and wants to upgrade its commitment, then a separate audit for CSMS documentation may be conducted. In such a case the minimum of 0.5 days must be added to the audit duration time.

Secure your Certification slot by requesting a quote

FAQ for ISO 27018 Certification

The cost of your combines ISO 27001 + ISO 27018 certification will be quoted based on organization size and risk profile. The offer will contain a fixed fee basis and the estimated audit days. This will allow you to better budget your certification project.

The cost of certification will depend on:

  • your organisation’s total size
  • the sector you operate in
  • the number of locations you operate from and their particular activities
  • your organisation risk profile

You will be assigned an account manager who coordinates the first stage of your journey towards the ISO 27001 certificate. This person will get you a fixed fee quote and gather the key details of your desired scertification scope.

The lead auditor will then arrange with you a 1-2 hour call to check that all aspects of your sik profile have been considered and that the audit plan structure matches the availability of the key people in your organization.

Once you have completed the audit, the account manager will keep you updated while the audit documentation is being processed by the compliance team in the certification body. After a positive review the ISO 27001 certificate will be issued to you.
We will also help you understand how to best use the certificate and associated logos, in order to avoid conflicts with the ISO rules.

Stratlane's accreditation is a key part of the assurance we can guarantee those who trust you by trusting your certificate.

Our accredited ISO 27001 certificates include not only your logo but also the logo of the accreditation body and respective accreditation associations.

Let's Get Your Company Certified!

Make use of our certification services so that your businesss gains the competitive advantage of having accredited ISO certifications.