ISO 27018

Personal Identifiable Information in Public Clouds

ISO 27018Cloud services now play a part in our daily lives and it is inevitable that Personal Identifiable Information (PII) will be stored and/or processed via the Public Cloud.

Public Cloud Providers include many of the apps and Software as a Service (SaaS) you might recognise, but the term can also be applied to platforms that these applications run on, including Infrastructure as a Service (IaaS).

ISO 27018 provides an internationally recognisable standard for protecting PII in Public Clouds and our ISO 27018 Consultants can help you implement best practices to meet Data Protection Legislation and provide reassurance to customers and Cloud users.

ISO 27018 Consultants

ISO/IEC 27018:2014 Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.

ISO 27018 is part of the ISO 27000 family of Information Security Standards, and in part, extends some of the 114 Controls of ISO 27001/ISO 27002 by adding specific PII guidance. In other cases the standard makes the guidance within ISO 27002 mandatory.

However ISO 27018 also provides an annex of additional controls (A1 to A11) based on the 11 Privacy Principles in ISO 29100.

Essentially this extended control set helps the organisation manage specific risks inherent in a Cloud environment and meet data protection legislative requirements.

Public Cloud Providers, Cloud Service Customers and Data Principles

It’s important to understand the scope of your services within the principles of ISO 27018.  The Standard is intended for Public Cloud Providers where Customers use the facility to store or process the PII they hold.  In this respect, some of the data protection obligations to the Data Principle (the individual person) are placed on the Cloud Service Customer – that is the entity using the Public Cloud Provider.

ISO 27001 + ISO 27018

ISO 27001 the standard for information security is a good place to start as this provides a framework for managing information security risks, and there is also the benefit of achieving a recognised Certification to this Standard.

If ISO 27001 is already embedded in the organisation, the extended control set in ISO 27018 is a good improvement to focus on risks related to personal data in the provider’s public cloud.

Assent have ISO 27018 Consultants who can help you understand the standard, implement the recommended controls in addition to ISO 27001  and measure/reduce risk to personal data.

Get started by purchasing a copy of the ISO 27018 standard from the BSI Shop.

ISO 27018 Gap Analysis

Many organisations find an ISO 27018 Gap Analysis a good first step, and our Consultants can work with you to identify gaps in your current documentation and processes.

Prepare for GDPR

Data protection reform is coming to the UK, and many of the Privacy Principles within ISO 27018 can help you work towards the General Data Protection Regulations.  Find out more about GDPR.

Contact Us for more information on ISO 27018.