ISO/IEC 27018 is a security standard part of the ISO/IEC 27000 family of standards. It was the first international standard about the privacy in cloud computing services which was promoted by the industry. It was created in 2014 as an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process personally identifiable information (PII) to assess risk and implement controls for protecting PII. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.
Standard Versions
That standard has two versions:
- ISO/IEC 27018:2014
- ISO/IEC 27018:2019
Structure of the standard
The official title of the standard is "Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors". ISO/IEC 27018:2019 has eighteen sections, plus a long annex, which cover:
- 1. Scope
- 2. Normative References
- 3. Terms and definitions
- 4. Overview
- 5. Information security policies
- 6. Organization of information security
- 7. Human resource security
- 8. Asset management
- 9. Access control
- 10. Cryptography
- 11. Physical and environmental security
- 12. Operations security
- 13. Communications security
- 14. System acquisition, development and maintenance
- 15. Supplier relationships
- 16. Information security incident management
- 17. Information security aspects of business continuity management
- 18. Compliance
Objectives
The objective of this document, when used in conjunction with the information security objectives and controls in ISO/IEC 27002, is to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. It has the following objectives:
- Help the public cloud service provider to comply with applicable obligations when acting as a PII processor, whether such obligations fall on the PII processor directly or through contract.
- Enable the public cloud PII processor to be transparent in relevant matters so that cloud service customers can select well-governed cloud-based PII processing services.
- Assist the cloud service customer and the public cloud PII processor in entering into a contractual agreement.
- Provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multiparty, virtualized server (cloud) environment can be impractical technically and can increase risks to those physical and logical network security controls in place.
Advantages
Using this standard has the following advantages:
- It provides a higher security to customer data and information.
- It makes the platform more reliable to the customer, achieving a higher level than the competition.
- Faster enablement of global operations.
- Streamlined contracts.
- It provides legal protections for cloud providers and users.
References
- "ISO/IEC 27018 Code of Practice for Protecting Personal Data in the Cloud". docs.microsoft.com. Retrieved 27 March 2020.
- "ISO/IEC 27018:2014 [ISO/IEC 27018:2014] Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors". www.iso.org. International Organization for Standardization. Retrieved 28 March 2020.
- "ISO/IEC 27018:2019 [ISO/IEC 27018:2019] Information technology — Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors". www.iso.org. International Organization for Standardization. Retrieved 28 March 2020.
- "ISO/IEC 27018:2019(en)". www.iso.org. International Organization for Standardization. Retrieved 28 March 2020.
- "ISO 27018 compliance: Here's what you need to know". www.infoworld.com. Stan Gibson. 2 November 2015.