ISO 27018

What is ISO/IEC 27018?

ISO/IEC 27018 is an international standard published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). The standard outlines best practices for protecting personally identifiable information (PII) in cloud computing environments. It was developed to ensure that cloud service providers maintain adequate security measures when handling PII belonging to their customers. This includes a range of measures such as implementing physical, technical and organizational security controls, conducting periodic risk assessments, and providing robust data breach notification procedures. Additionally, the standard requires providers to adhere to privacy principles such as purpose limitation, data minimization and transparency.

What are the key principles and requirements of ISO 27018? 

The key principles and requirements of ISO 27018 are as follows: 

  • Establish a framework for the processing of personal data in cloud services by providing guidance on topics such as privacy, security, data protection, and compliance.
  • Ensure that any personal data processed by cloud service providers is protected with appropriate technical and organizational measures.
  • Provide customers with clear information about how their personal data will be used and stored.
  • Enable customer to control their own personal data in accordance with applicable laws.
  • Require that cloud service providers provide adequate remedies to customers if there is a breach or misuse of their personal data.
  • Encourage transparency between the provider and customer regarding the collection, use, and sharing of personal data .
  • Ensure that the cloud service provider maintains a record of any changes made to its services that affect customers’ personal data.
  • Require organizations to establish procedures for monitoring compliance with ISO 27018 requirements.
  • Establish an independent audit process for verifying compliance with the standard

ISO 27001 vs 27018

ISO 27018 adds new guidelines, enhancements, and security controls to ISO 27001 certification. Something important to note is that ISO 27018 is now considered a set of guidelines and controls that enhance ISO 27001, rather than a standard or certification.

There are a number of key differences between ISO 27001 and ISO 27018:

  • ISO 27001 is based on an information security management system (ISMS), while ISO 27018 is a code of practice for protecting personal data in the cloud.
  • ISO 27001 focuses on data confidentiality, integrity and availability, while ISO 27018 focuses specifically on privacy issues related to customer personal information stored in the cloud. 
  • ISO 27001 requires organizations to establish policies and procedures that protect their confidential information from unauthorized access or disclosure whereas ISO 27018 provides additional guidance and controls regarding how customer’s personal information should be handled in the cloud environment such as encrypting sensitive data at rest or establishing role-based access control systems for user authentication purposes. 
  • ISO 27001 also includes requirements on physical security, while ISO 27018 does not. 
  • ISO 27001 focuses on data security and protection of information assets whereas ISO 27018 is focused more towards compliance with privacy regulations.

How to become ISO 27018 ‘certified’?

The following is a simplified list of some of the main processes involved when undergoing ISO 27018:

  1. Understand ISO 27018: Gain a detailed understanding of its requirements.
  2. Identify gaps in your existing information security system: Conduct a gap analysis to identify any areas where your existing information security system does not meet the requirements of ISO 27018. 
  3. Develop a plan for compliance: Create and implement a plan that outlines how you will address each identified gap in order to meet requirements of ISO 27018. 
  4. Certification: Once all remediation has been implemented and all ISO 27018 requirements are met, your independent auditor can audit your system against ISO 27018 requirements. Upon successful completion of the audit, you will be awarded with ISO 27018 certification.

Check here how Scytale can help you level-up your compliance with ISO 27018.