Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
Data that enables the identification of an individual is classified as Personally Identifiable Information (PII). In essence, PII comprises any information that can be linked directly to a person. This includes, but is not limited to:
These are just a few examples of the types of data considered to be PII.
Safeguarding Personally Identifiable Information (PII) encompasses a suite of strategies, potentially familiar to you, including:
Cloud service providers tasked with managing Personally Identifiable Information (PII) under customer agreements are required to operate in accordance with PII protection laws and regulations. These legal mandates vary by jurisdiction and contractual terms, outlining the shared responsibilities of providers and customers. Data protection laws govern the acceptable management of PII, encompassing its acquisition, utilization, transmission, and elimination.
Navigating the legal landscape of PII processing is intricate for cloud service providers operating internationally due to diverse legal requirements. As a “PII processor,” a public cloud service provider processes PII following customer instructions. The customer, termed a “PII principal” for individuals or a “PII controller” for organizations, retains contractual authority and may permit third-party usage of contracted cloud services. Notably, a PII controller often bears more comprehensive PII safeguarding duties than the provider. It is imperative for providers to concentrate exclusively on the PII processing objectives specified by the customer to preserve a distinct role separation.
It should be noted that in processing customer account information, a public cloud service provider might take on the role of a PII controller; this document, however, does not cover the responsibilities associated with that position.
The aim of this standard is to forge a cohesive framework of security categories and controls. When integrated with the security goals and practices of ISO/IEC 27002, it enables a public cloud computing service provider to fulfill its responsibilities as a PII processor effectively.
The International Organization for Standardization (ISO) is an independent, non-governmental international organization that develops and publishes a wide range of standards, encompassing both technical and non-technical fields. In partnership with the International Electrotechnical Commission (IEC), the ISO/IEC 27000 series provides comprehensive strategies that assist organizations in protecting their information assets.
The ISO/IEC 27018 standard is pivotal for internet security, with a special emphasis on safeguarding personally identifiable information (PII)—the kind of data that can be used to identify a person. Organizations that achieve ISO/IEC 27018 certification are recognized for their dedication to conducting thorough risk assessments and implementing the necessary measures to protect PII, thereby ensuring the security of user data.
ISO/IEC 27018 acts as a comprehensive code of practice for cloud service providers managing Personally Identifiable Information (PII) on their clients’ behalf. It builds upon ISO/IEC 27001 and ISO/IEC 27002, introducing enhanced security measures. The standard delineates specific privacy protections and extra security controls that cloud service providers should implement.
In conjunction with ISO 27017, which zeroes in on cloud service security controls, and ISO 27701, which addresses privacy information management, ISO 27018 supplements the foundational ISO 27001 framework.
Going beyond ISO 27001, ISO 27018 provides guidance on 16 controls from ISO 27002 and adds 25 novel controls, which are categorized under 8 key privacy principles:
Here are a few examples of the new controls introduced:
ISO 27018 sets forth widely recognized guidelines on information security for public cloud service providers that manage Personally Identifiable Information (PII) in a processing capacity. The standard’s chief objectives are:
ISO 27018 outlines critical practices for incorporation into your control framework to ensure compliance with the standard. These practices include:
Limiting the use of PII for marketing or advertising to instances where explicit customer consent has been obtained. Customers retain ownership of their data, and your processing activities must align strictly with their instructions.
Exercising meticulous care with PII during its transfer over public networks, storage on mobile devices, or throughout data recovery operations. Cloud Service Providers (CSPs) and associated staff must engage in confidentiality agreements and receive specialized training in PII handling.
Promptly notifying customers in the case of a data breach, meticulously documenting the incident, and assisting customers in maintaining their security obligations.
Ensuring transparency by disclosing the identities of any sub-processors and the locations of PII processing prior to contract conclusion. Any changes in sub-processors during the contract term must be communicated to the customer, who should have the option to object to the change or terminate the contract.
Selecting a cloud service provider with robust security practices is essential. Voluntarily adopting ISO 27018 certification can elevate customer trust in the security of your cloud services. This certification prescribes vital data protection protocols for cloud services and dictates the management of personal data. The ISO/IEC 27018 standard offers vigilant monitoring systems and prudent guidelines for implementing security measures, aimed at markedly diminishing risks to your cloud services.
Achieving ISO 27018 certification reflects your unwavering commitment to premier information security within your cloud infrastructure, enhancing your company’s competitive stance.
When considering the implementation of ISO 27018, focus on these three key areas:
Determine which existing laws and regulations are applicable to your organization.
Evaluate whether adopting ISO 27018 might introduce new risks to your organization.
Ensure you include any requirements specific to your industry.
Additionally, understand how integrating ISO 27018 could impact your company’s culture and policies. Remember, while ISO 27001 covers these areas broadly, ISO 27018 delves deeper into the protection of Personally Identifiable Information (PII) and cloud computing services.
When considering the implementation of ISO 27018, focus on these three key areas:
Determine which existing laws and regulations are applicable to your organization.
Ensure you include any requirements specific to your industry.
Evaluate whether adopting ISO 27018 might introduce new risks to your organization. Additionally, understand how integrating ISO 27018 could impact your company’s culture and policies. Remember, while ISO 27001 covers these areas broadly, ISO 27018 delves deeper into the protection of Personally Identifiable Information (PII) and cloud computing services.
ISO 55001: A Universal Standard for Asset Management
Initiate the process by educating your team on the updates in the ISO 27018 standard. This includes a comprehensive understanding of the new and revised requirements, as well as the updated Annex A controls, which cover specific measures for protecting Personally Identifiable Information (PII) in cloud services.
Adjust your Annex A controls to align with the new standard. This may involve consolidating existing controls, implementing new ones, or removing those that are no longer applicable. Ensure that all controls are effectively integrated into your ISMS and are functioning as intended.
Develop a robust action plan based on the findings from the gap analysis. This plan should outline the specific steps needed to align your ISMS with the new standard, including detailed updates to policies, procedures, and controls. Ensure that each step is clearly defined with assigned responsibilities and timelines.
Update your risk analysis and treatment plan to address any new or altered risks identified during the gap analysis. This involves reassessing your risk landscape and implementing appropriate risk mitigation strategies to ensure compliance with ISO 27018.
Finally, prepare for an external audit to certify that your PII management complies with ISO 27018. Ensure that all necessary documentation and evidence are in place to demonstrate compliance. The external audit will validate your adherence to the standard and provide official certification.
Conduct a thorough internal audit to assess the effectiveness of the implemented changes. This audit should verify that your ISO 27018 management system meets the new standard’s requirements and that all controls are operating effectively.
Carefully manage the transition process, ensuring that all team members are aware of their roles and responsibilities. Provide ongoing support and training to facilitate a smooth transition and address any challenges that may arise.
Asset managers, maintenance engineers, and facility managers will find ISO 55001’s principles directly applicable to their roles.
During the transition to ISO 27018, organizations often encounter several common challenges:
Gaining the commitment of senior management is crucial for the allocation of resources and for fostering a culture of security throughout the organization. This involves presenting a compelling business case that highlights the benefits of ISO 27018 compliance, such as enhanced data protection and competitive advantage.
Organizations may face limitations in terms of budget, time, and personnel, which can impact the implementation process. Effective resource management strategies, including detailed project planning and prioritization, are essential to address these constraints.
Identifying and evaluating all relevant information security risks to ensure that appropriate controls are in place can be a complex task. This requires a systematic approach to risk assessment, utilizing methodologies such as ISO/IEC 27005, and ensuring that all potential threats and vulnerabilities are thoroughly analyzed.
It’s essential to ensure that all employees are aware of the importance of information security and their role in the ISMS. This can be achieved through targeted training programs, regular communication, and fostering a security-aware culture within the organization.
The standard requires ongoing evaluation and improvement of the ISMS, which demands sustained effort and monitoring. Implementing a robust continuous improvement process, including regular internal audits, management reviews, and feedback mechanisms, is critical to maintaining compliance and enhancing the ISMS over time.
To assess if ISO 27018 certification aligns with your organizational goals, consider the following steps:
Analyze your organization’s strategic direction and how information security initiatives, particularly ISO 27018, can support achieving these goals. This involves aligning the ISMS objectives with the broader business strategy to ensure cohesive progress.
Perform a detailed gap analysis to compare your current information security practices against ISO 27018 requirements. This involves a thorough review of existing policies, procedures, and controls to identify areas needing enhancement or modification.
Assess how ISO 27018 can help your organization meet relevant legal and regulatory obligations. This includes understanding the specific data protection laws and regulations that apply to your industry and geographic location.
Evaluate whether your organizational culture supports robust information security practices and the adoption of an ISMS. This involves assessing employee awareness, engagement, and the overall attitude towards information security.
Determine if achieving ISO 27018 certification will provide a competitive edge in your industry. Consider how certification can enhance your market position, attract new customers, and differentiate your services from competitors.
Evaluate how ISO 27018 can bring tangible business benefits such as enhanced compliance with data protection regulations, cost reduction through streamlined processes, and improved organizational reputation. Consider the potential for increased customer trust and competitive differentiation.
Secure the involvement of top management to ensure that the information security policy and objectives are aligned with the strategic direction of the organization. Their commitment is crucial for resource allocation and fostering a security-centric culture.
Determine if your organization is prepared to allocate the necessary resources for the implementation and maintenance of an ISMS. This includes budget, personnel, and time commitments required to achieve and sustain ISO 27018 certification.
Examine how the standard risk management approach aligns with your organization’s risk appetite and management strategy. This includes integrating ISO 27018’s risk assessment and treatment processes into your existing risk management framework.
Ensure that your organization’s goals include continual improvement, a key aspect of ISO 27018. This involves establishing mechanisms for regular review, feedback, and enhancement of the ISMS to adapt to evolving threats and business needs.
By carefully considering these factors, you can determine how well ISO 27018 certification aligns with your organizational goals and whether it will support the overall strategic direction of your business.
Adaptable Certification Solutions with QMet
At QMet, we understand that businesses are dynamic entities. They grow, evolve, and change shape. Whether it’s the addition of new locations, the introduction of novel activities, or changes in staff numbers, rest assured, we’re equipped to support you through every transition.
Our commitment is to provide flexible certification solutions tailored to your evolving business landscape. We offer adaptable options to modify your scope, standards, and management system, ensuring they remain in perfect sync with your operational needs.
Honesty is the cornerstone of our partnership. We ask that you keep us informed of any changes as they occur. This transparency allows us to maintain a collaborative partnership, where certification is a seamless aspect of your business growth, not a hurdle to overcome.
Enroll in ISO 27018 training programs offered by the QMet Middle East Training Academy.
Objectives
The ISO 27018 standard is relevant for all organizations that process personal data in the cloud. To ensure robust protection of this data, it incorporates additional security control guidelines derived from ISO 27001, ISO 27002, and ISO 27017 standards.
These guidelines provide a framework for implementing security measures that ensure your management system meets the stringent requirements for cloud data protection and information security monitoring.
QMet: Pioneers in Certification and Quality Excellence
QMet stands as a beacon of certification excellence, with a rich history of involvement in a diverse array of management system certifications, inspections, calibrations, testing, and personnel qualifications. Our journey towards accreditation is in full swing, aligning with esteemed bodies such as the Gulf Accreditation Center, Saudi Accreditation Center, SASO, Saber, and SFDA. This strategic move is in accordance with the standards set by the International Accreditation Forum and the International Laboratory Accreditation Cooperation. Since our inception in 2005, QMet has been at the forefront of industry innovation. Our dedicated team has consistently demonstrated an unparalleled ability to grasp the intricate needs of the industry, crafting reliable and robust solutions that cater to a wide spectrum of requirements.