ISO 27018 Consultants

Personal Identifiable Information in Public Clouds

Cloud services now play a part in our daily lives and it is inevitable that Personal Identifiable Information (PII) will be stored and/or processed via the Public Cloud.

Public Cloud Providers include many of the apps and Software as a Service (SaaS) you might recognise, but the term can also be applied to platforms that these applications run on, including Infrastructure as a Service (IaaS).

ISO 27018 provides an internationally recognisable standard for protecting PII in Public Clouds and our ISO 27018 Consultants can help you implement best practices to meet Data Protection Legislation and provide reassurance to customers and Cloud users.

ISO 27018 Consultants

ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.

ISO 27018 is part of the ISO 27000 family of Information Security Standards, and in part, extends some of the 114 Controls of ISO 27001/ISO 27002 by adding specific PII guidance. In other cases the standard makes the guidance within ISO 27002 mandatory.

However ISO 27018 also provides an annex of additional controls (A1 to A11) based on the 11 Privacy Principles in ISO 29100.

Essentially this extended control set helps the organisation manage specific risks inherent in a Cloud environment and meet data protection legislative requirements.

Public Cloud Providers, Cloud Service Customers and Data Principles

It’s important to understand the scope of your services within the principles of ISO 27018. The Standard is intended for Public Cloud Providers where Customers use the facility to store or process the PII they hold.

In this respect, some of the data protection obligations to the Data Principle (the individual person) are placed on the Cloud Service Customer – that is the entity using the Public Cloud Provider.

ISO 27001 + ISO 27018

ISO 27001 the standard for information security is a good place to start as this provides a framework for managing information security risks, and there is also the benefit of achieving a recognised Certification to this Standard.

If ISO 27001 is already embedded in the organisation, the extended control set in ISO 27018 is a good improvement to focus on risks related to personal data in the provider’s public cloud.

Assent have ISO 27018 Consultants who can help you understand the standard, implement the recommended controls in addition to ISO 27001 and measure/reduce risk to personal data.

Get started by purchasing a copy of the ISO 27018 standard from the BSI Shop.

ISO 27018 Gap Analysis

Many organisations find an ISO 27018 Gap Analysis a good first step, and our Consultants can work with you to identify gaps in your current documentation and processes.

Prepare for GDPR

Many of the Privacy Principles within ISO 27018 can help you work towards the General Data Protection Regulations. Find out more about GDPR.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

ISO 27018 Consultants