Secure Your Business



A certification project acc. to ISO/IEC 27018 builds on a
certified information security management system


chess_27018zert_istockphoto_WEB_3At the selection of cloud providers, demonstration of a Data Protection Certificate recognized on an international scale will, in future, be a decisive criterion. Certification

of cloud services acc. to ISO/IEC 27018 will be possible if an information security management system acc. to ISO/IEC 27001, which has the same scope, has already been established by the organization and certified. One of the first Certification Bodies globally certifying cloud services acc. to ISO/IEC 27018 is CIS. Since April 2015, CIS has been federally accredited for this by the Austrian Economic Ministry (BMWFW - “Bundesministerium für Wissenschaft, Forschung und Wirtschaft” - Federal Ministry for Science, Research and Economic Affairs). Thus the Certificates for “Data Protection in the Cloud” acc. to ISO 27018, which are issued by CIS, can be regarded as being documents that are recognized on a national and international scale and also are valid before the court. Cloud services can be certified acc. to ISO 27018 in the course of the annual Surveillance Audits acc. to ISO 27001 or, independently from this, at any other moment. The project process can be broken down into three phases, the implementation phase, the certification phase and the recertification phase.



Information: An initial interview with CIS furnishes details about the certification process.
This is followed by registration and project planning.


Analysis: Evaluation of the individual requirements and assessment of measures existing within the company. CIS as an independent Certification Body is not involved.


Implementation: Establishing data protection controls for cloud services acc. to ISO/IEC 27018. CIS as an independent Certification Body is not involved.


CIS Stage Review (voluntary preliminary review): Upon request, CIS will, in the course of the project, review the usefulness of the system elements implemented. The audit report provides a strength / weakness profile.


CIS System & Risk Review (preliminary review): CIS reviews implementation of the requirements placed by the Standard as well as documentation. Deficiencies and opportunities for improvement will be laid down in a short report. This preliminary review serves as a “general rehearsal” before the Certification Audit.


CIS Certification Audit: The CIS Auditor reviews the information security management system supplemented by cloud / privacy aspects by making multiple samples on different levels of the organization. The audit report shows opportunities for improvement.


CIS Licence: By obtaining the “Certificate Issuance & Right to Use Licence”, you obtain the CIS Certificate acc. to ISO/IEC 27018, which makes the high data protection level of the cloud services visible to your customers and will be valid for three years.


CIS Surveillance Audit: The Surveillance Audit, which is conducted once a year, reviews effectiveness of the overall management system as well as continual improvement of this system.


CIS Recertification Audit: After 3 years, the Certificate, which has expired, can be renewed.


CIS - Certification & Information Security Services GmbH T +43 (0)1 532 98 90 office@cis-cert.com