ISO 27018 is an international standard for the protection of Personally Identifiable Information in cloud computing environments. However, unlike the broad scope of the ISO/IEC 27001 standard, it goes further to provide detailed and specific guidelines for cloud service providers on how to manage PII more securely, in conformance with global privacy regulations. With organizations turning to cloud services for storing and processing sensitive data, the importance of ISO 27018 multiplies; the protection of PII in the cloud against unauthorized access, breaches, or other security threats must be completely safeguarded. If an organization has a plan to improve its data privacy practice so as to foster trust amongst its customers, then ISO 27018 must be understood and implemented. This blog discusses ISO 27018 and the importance of PII protection in the cloud. 

What is ISO 27018?

In July 2014, ISO and IEC introduced ISO 27018 as part of the ISO 27000 family, and it has been updated twice since, most recently in 2019. This standard provides best practices for public Cloud Service Providers (CSPs) to enhance the protection of Personally Identifiable Information (PII) they process.

ISO 27018 was initially adopted by several major organizations, but it is now relevant for any entity handling PII in the public cloud, including private, public, government, and nonprofit organizations.

So, is certification necessary? Here’s what CSPs should know about ISO 27018:

  • ISO 27018 is the first international standard specifically focused on privacy for CSPs, offering a common set of security categories and controls. When used alongside the information security objectives and controls in ISO 27002, it helps public cloud service providers acting as PII processors.
  • It provides widely accepted control objectives, controls, and guidelines for protecting PII in line with the privacy principles outlined in ISO 29100.
  • The standard enhances ISO 27002 in two main ways:
    1. By offering implementation guidance for public cloud PII protection related to existing ISO 27002 controls.
    2. By introducing an additional control set and guidance to address PII protection needs in the public cloud not covered by ISO 27002.

As ISO 27018 builds upon ISO 27001, certification in ISO 27001 is a prerequisite. ISO 27018 compliance serves as a sector-specific extension to your existing ISO 27001 certification. This means that the additional guidance and controls in ISO 27018 integrate with your ISMS, as detailed in your statement of applicability and supporting documents—without introducing new management system requirements.

ISO 27018 is particularly applicable to organizations providing information processing services as PII processors in cloud environments. While it can also apply to PII controllers, these entities may face additional PII protection regulations and obligations not covered by ISO 27018.

Objectives of ISO 27018 Compliance

ISO 27018 offers widely accepted guidance on various information security categories. The standard is specifically aimed at public cloud service providers who handle Personally Identifiable Information (PII) as data processors.

The objectives of ISO 27108 are: 

  • Assist public cloud PII processors in fulfilling their obligations, particularly when they are contracted to provide public cloud services.
  • Ensure transparency, allowing potential cloud service customers to access secure and well-managed PII processing services in the cloud.
  • Facilitate the establishment of contractual agreements between cloud service providers and users for the processing of PII.
  • Provide cloud service customers with a methodology for auditing and ensuring compliance.

Why is it Important to Secure Personally Identifiable Information?

According to IBM Security’s 2020 Data Breach Report, 80% of all data breaches involve Personally Identifiable Information (PII). Securing PII involves a variety of measures, many of which you might already be familiar with. These include:

  • Minimizing the collection and retention of data
  • Implementing a secure data destruction schedule
  • Encrypting data during both storage and transmission
  • Restricting access to data
  • Conducting employee training
  • Ensuring compliance with relevant regulations
  • Establishing an information governance strategy

The UK’s Information Commissioner’s Office (ICO) provides comprehensive guidance on what constitutes PII. 

A PII processor refers to any public cloud service provider that handles personal data on behalf of their clients. It’s important to note that the original client may serve as the PII controller, which imposes separate legal obligations on them. However, the complaince does not address these additional requirements.

Book a Free Consultation with our Cyber Security Experts

Name
Email
Company Name
Phone Number


Why Should you Handle PII using Cloud?

Processing PII through the cloud offers several advantages. Cloud storage for PII can lower operational costs compared to on-site data storage and enhances accessibility for remote work. However, cloud data storage also presents risks. It is crucial to ensure that your cloud provider has robust security measures to protect your information. As a cloud provider, demonstrating effective security controls to your customers is essential.

ISO 27018 designates cloud service providers as processors when they handle your organization’s personal data. Even though a cloud service provider manages your data, your organization remains the data controller. Both data controllers and processors have legal responsibilities for protecting PII.

Key Guidelines of ISO 27018

ISO 27018 provides several key guidelines that you can incorporate into your control framework to show compliance with the standard. These include:

  • Not using PII for marketing or advertising purposes unless you have explicit consent from your customers. Essentially, the customer retains control over their data, and you are limited to processing PII strictly according to their instructions.
  • Informing your customers immediately in the event of a data breach, keeping a detailed record of the incident, and helping customers stay compliant with their own security obligations.
  • Revealing the names of any sub-processors and the locations where PII may be processed before finalizing a contract. If the provider changes sub-processors during the contract term, they must notify the customer and offer the customer the option to object to the change or terminate the contract.

Although this list does not cover all the certification requirements, it highlights ISO 27018’s primary focus on the use of PII, including disclosure and notification practices.

What are the Next Steps?

The ISO 27018 standard was initially introduced to address a global compliance gap, and as outlined, it offers significant benefits if integrated into your framework. However, it’s important to consider potential costs, implementation timelines, and ongoing maintenance before making a commitment.

Additionally, other privacy compliance standards might better align with your needs, including the ISO 27701 standard mentioned earlier.

How Can Kratikal Help You With ISO 27018?

Kratikal offers end-to-end support, from assessing your current cloud security practices to aligning them with ISO 27018’s stringent guidelines. Our team of experts will help you implement the necessary controls to safeguard Personally Identifiable Information (PII) in the cloud, ensuring compliance with international standards. By collaborating with Kratikal, one of India’s top cyber security companies, you can confidently protect your cloud data and gain a competitive edge in the market.

FAQs

  1. What is the difference between ISO 27001 and 27018?

    ISO 27018 and ISO 27001 are standards designed to guide cloud service providers in adhering to best practices for data management. ISO 27001 is an earlier standard focused on information security management systems (ISMS). In contrast, ISO 27018 is a more recent framework that specifically addresses the protection of Personally Identifiable Information (PII).

  2. To whom does ISO 27018 apply?

    While some prominent organizations were among the first to adopt ISO 27018, any entity that processes PII in the public cloud can now consider conforming to its guidelines. This includes private, public, government, and nonprofit organizations.

Leave a comment

Your email address will not be published. Required fields are marked *