ISO 27018: How to protect PII on public clouds

Experts say the global cloud computing market will grow to nearly $950 billion by 2026. Naturally, rules and protections are necessary for a massive industry that handles copious amounts of personal data. 

That's where ISO 27018 comes in. It's the first international standard specifically for data privacy in cloud computing. Uncover all about ISO 27018, how to comply and how it can benefit your organisation.

In this blog post, we'll cover:

 

What is ISO 27018? 

ISO/IEC 27018 is an international information security standard for protecting personally identifiable information (PII).  

PII include but are not limited to: 

  • Full name 
  • Home address 
  • Email address 
  • Phone number 
  • ID number 
  • Passport number 
  • Fingerprints 
  • Handwriting 
  • Face 
  • Credit card number 
  • Digital identity 
  • Date of birth 

The standard particularly applies to cloud computing service providers who process PII for their customers. 

ISO 27018 is part of the ISO 27000 family of standards. This set of standards defines best practices for information security management. But experts custom-tailored ISO 27018 to specifically address cloud computing services. As a result, the guidelines help to reduce information security risks of PII in a public cloud. 

How ISO 27018 relates to ISO 27001 and ISO 27002

The International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC) created ISO/IEC 27001 and ISO/IEC 27002 in 2013.  

ISO 27001 provides requirements for an information security management system (ISMS). It includes information on how to scope a strategy, design rules, and educate employees. ISO 27001 has 114 controls. 

ISO 27002 expands on 27001 by providing knowledge on how to improve an ISMS. This includes rules for: 

  • Cyber security 
  • Information security 
  • Privacy protection 

However, there are more than a dozen standards in the ISO 27001 family, including ISO 27018. This family of standards allows organisations to manage the security of assets such as: 

  • Financial information 
  • Intellectual property 
  • Employee details 
  • Information entrusted by third parties 

ISO 27018 adds new guidelines, enhancements, and security controls to both standards. These aid cloud service providers in managing data security risks distinctive to PII in cloud computing.  

Further, ISO 27018 is complementary to ISO 27017 and ISO 27701. These are standards on security control for cloud services and privacy information management.  

What are ISO 27018 objectives? 

There are several key objectives for the creation of ISO 27018. 

The first is to help public cloud PII processors meet their obligations. This includes when they are contractually obligated to provide public cloud services.  

Another objective is to allow for more transparency. Transparency enables prospective customers to access secure and well-managed cloud-based PII processing services.  

The standard also helps to establish contractual agreements for processing PII. Finally, ISO 27018 provide a methodology for compliance. 

The latest ISO 27018 version: 2019 vs 2014

The ISO and IEC launched ISO 27018 in 2014. Then, in 2019, ISO and IEC made minor revisions to the standard. 

The 2019 version rectifies an editorial error in Annex A from the 2014 version. The new version also no longer refers to ISO 27018 as a "standard" in the document. Instead, it uses the word "document." 

What's the significance of this?  

ISO 27018 is a set of guidelines and controls that enhance ISO 27001. It is not a standard for organisations to certify against. But, cloud service providers can get an ISO 27001 certification using 27018 guidelines if they process PII.  

There is no standalone certification for ISO 27018. 

Getting an ISO 27018 certification  

Due to the changes in the 2019 version, those who want an ISO 27018 certification need first to familiarise themselves withISO 27001 requirements.  

Any organisation of any size can gain ISO 27001 compliance. Once awarded, re-certification is required every three years.  

The certification process is two stages and usually takes a year to complete. Before beginning the accreditation process, your organisation must build a control framework.  

Stage One

The first stage is an informal review of your ISMS. It allows auditors to become familiar with your organisation. 

The auditors will review your documentation and procedures.  

Stage Two

The second stage is the formal compliance audit. 

Auditors will perform detailed tests of your ISMS against ISO 27001 requirements. If your organisation is also following 27018 compliance, they will test against these requirements too.  

If your ISMS passes, you'll receive the certification. The auditors will require regular surveillance audits to guarantee ongoing compliance. 

What are ISO 27018 controls?

There are specific controls which form the requirements for protecting PII. Annex A lists them in detail. They include: 

For example, customers have a right to access and delete their data. A company can only process data for a purpose the customer approved. They cannot use the data for marketing and advertising.  

Additionally, cloud service providers must handle PII in a specific way when: 

  • Transmitting over public networks 
  • Storing on mobile devices 
  • Recovering data 
  • Restoring data 

Cloud service providers and their staff must also sign a confidentiality agreement or non-disclosure agreement (NDA). Employees who process PII need specialised training. If you use a subprocessor, your customers need to know before signing a contract. 

Policies should be in place for disposing of data your organisation is no longer using. 

If there is a data breach, customers have the right to know immediately. The provider is responsible for keeping a record of the incident and guiding their customers to comply with security obligations. 

You can learn more about the controls by speaking with an experienced data compliance company. 

 

How can you benefit from ISO 27018 compliance?

Being compliant with ISO 27018 offers several advantages to organisations. Let's review the top benefits your business will experience. 

Lift customer confidence 

According to McKinsey, in 2020, 87% of survey respondents said they would not do business with a company if they had concerns about its security practices. As a result, customers need to trust that their cloud service provider can protect their data.  

Being ISO 27018 compliant ensures that the company has a thorough understanding of handling and processing PII. Moreover, it demonstrates a commitment to protecting data. You can show that you follow the most comprehensive data controls. 

An ISO 27001 certification is excellent for marketing purposes. But ISO 27018 compliance is the highest level of security you can offer customers. So from a security standpoint, following 27018 guidelines provides more to your business operations and customers.  

Eventually, 27018 compliance will be industry standard, so it's worth getting compliant now. Although you won't receive a separate certification, being 27018 compliant will set you apart from competitors.   

Enhance global operations 

ISO standards are global. When organisations follow these guidelines, they can participate in the worldwide marketplace. Signing international contracts is much easier and faster when both parties follow the same guidelines.  

Of course, you'll always want to double-check the local laws of the country you want to do business. However, most countries use ISO standards or a similar framework for compliance.  

For instance, many controls in 27018 are present in the General Data Protection Regulation (GDPR) that spans Europe. 

Improve security and legal protection  

Receiving an ISO 27001 certification and being 27018 compliant establishes a security baseline for any business that processes data in the cloud. In addition, the controls hold up against audits, customer probes, and government reviews.  

These standards will help you reduce security risks and protect your business against charges of negligence or recklessness if a breach occurs.  

Negligence charges can incur severe penalties. But businesses that show they have a risk-based framework and follow security controls can use that as evidence in a lawsuit. Unfortunately, breaches are always possible. By following 27018, you can reduce the likelihood of it happening and lessen the damages if it does. 

For businesses that use cloud services, working with a certified company shows regulators you're taking essential steps to protect your users' data.  

Streamline sales processes 

When IT sales agreements fail, it's often because of corporate security. Following 27018 compliance simplifies the information corporate security requires.  

Instead of going through a long inquisition, the certified provider can have new customers review their Statement of Applicability (SoA). This statement is a list of their security controls and implementation. It will provide all the assurances the customer needs.  

It saves both sides time and money.  

Strengthen your information security with DataGuard 

You may already have noticed that standards such as ISO 27018 are phrased in a very abstract manner and contain hardly any concrete requirements and recommendations for action. Their implementation, therefore, relies on industry-specific expert advice. 

We can help you. Check out DataGuard's information security as a service solution, or reach out for a chat with one of our InfoSec experts.

 

 

About the author

DataGuard Information Security Experts DataGuard Information Security Experts
DataGuard Information Security Experts

Tips and best practices on successfully getting certifications like ISO 27001 or TISAX®, the importance of robust security programmes, efficient risk mitigation... you name it! Our certified (Chief) Information Security Officers and InfoSec Consultants from Germany, the UK, and Austria use their year-long experience to set you up for long-term success. How? By giving you the tools and knowledge to protect your company, its information assets and people from common risks such as cyber-attacks. What makes our specialists qualified? These are some of the certifications of our privacy experts: Certified Information Privacy Professional Europe (IAPP), ITIL® 4 Foundation Certificate for IT Service Management, ISO 27001 Lead Implementer/Lead Auditor/Master, Certificate in Information Security Management Principles (CISMP), Certified TickIT+ Lead Auditor, Certified ISO 9001 Lead Auditor, Cyber Essentials

Explore more articles

Contact Sales

See what DataGuard can do for you.

Find out how our Privacy, InfoSec and Compliance solutions can help you boost trust, reduce risks and drive revenue.

  • 100% success in ISO 27001 audits to date 
  • 40% total cost of ownership (TCO) reduction
  • A scalable easy-to-use web-based platform
  • Actionable business advice from in-house experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Continuous support on your journey towards the certifications on ISO 27001 and TISAX®️, as well as NIS2 Compliance.
  • Benefit from 1:1 consulting
  • Set up an easy-to-use ISMS with our Info-Sec platform
  • Automatically generate mandatory policies
Certified-Icon

100% success in ISO 27001 audits to date

 

 

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Trusted by customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Burger King  Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk