Experts say the global cloud computing market will grow to nearly $950 billion by 2026. Naturally, rules and protections are necessary for a massive industry that handles copious amounts of personal data.
That's where ISO 27018 comes in. It's the first international standard specifically for data privacy in cloud computing.
What is ISO 27018?
ISO/IEC 27018 is an international information security standard for protecting personally identifiable information (PII).
PII include but are not limited to:
- Full name
- Home address
- Email address
- Phone number
- ID number
- Passport number
- Credit card number
- Digital identity
- Date of birth
The standard particularly applies to cloud computing service providers who process PII for their customers.
ISO 27018 is part of the ISO 27000 family of standards. This set of standards defines best practices for information security management. But experts custom-tailored ISO 27018 to specifically address cloud computing services. As a result, the guidelines help to reduce information security risks of PII in a public cloud.
ISO 27018 concerning ISO 27001 and ISO 27002
The International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC) created ISO/IEC 27001 and ISO/IEC 27002 in 2013.
ISO 27001 provides requirements for an information security management system (ISMS). It includes information on how to scope a strategy, design rules, and educate employees. There are 114 controls within ISO 27001.
ISO 27002 expands on 27001 by providing knowledge on how to improve an ISMS. This includes rules for:
- Cyber security
- Information security
- Privacy protection
However, there are more than a dozen standards in the ISO 27001 family, including ISO 27018. This family of standards allows organisations to manage the security of assets such as:
- Financial information
- Intellectual property
- Employee details
- Information entrusted by third parties
ISO 27018 adds new guidelines, enhancements, and security controls to both standards. These aid cloud service providers in better managing data security risks distinctive to PII in cloud computing.
Further, ISO 27018 is complementary to ISO 27017 and ISO 27701. These are standards on security control for cloud services and privacy information management.
ISO 27018's Objectives
There are several key objectives for the creation of ISO 27018.
The first is to help public cloud PII processors meet their obligations. This includes when they are contractually obligated to provide public cloud services.
Another objective is to allow for more transparency. Transparency enables prospective customers to access secure and well-managed cloud-based PII processing services.
The standard also helps to establish contractual agreements for processing PII. Finally, ISO 27018 provide a methodology for compliance.
ISO 27018: 2019 vs 2014
The ISO and IEC launched ISO 27018 in 2014. Then, in 2019, ISO and IEC made minor revisions to the standard.
The 2019 version rectifies an editorial error in Annex A from the 2014 version. The new version also no longer refers to ISO 27018 as a "standard" in the document. Instead, it uses the word "document."
What is the significance of this?
ISO 27018 is a set of guidelines and controls that enhance ISO 27001. It is not a standard for organisations to certify against. But, cloud service providers can get an ISO 27001 certification using 27018 guidelines if they process PII.
There is not a standalone certification for ISO 27018.
Getting an ISO 27018 Certification
Due to the changes in the 2019 version, those who want an ISO 27018 certification need first to familiarise themselves with ISO 27001 requirements.
Any organisation of any size can gain ISO 27001 compliance. Once awarded, re-certification is required every three years.
The certification process is two stages and usually takes a year to complete. Before beginning the accreditation process, your organisation must build a control framework.
The first stage is an informal review of your ISMS. It allows auditors to become familiar with your organisation.
The auditors will review your documentation and procedures.
The second stage is the formal compliance audit.
Auditors will perform detailed tests of your ISMS against ISO 27001 requirements. If your organisation is also following 27018 compliance, they will test against these requirements too.
If your ISMS passes, you'll receive the certification. The auditors will require regular surveillance audits to guarantee ongoing compliance.
ISO 27018 Controls list
There are specific controls which form the requirements for protecting PII. Annex A lists them in detail. They include:
- Human resource security
- Information security policies
- Incident management
- Operations security
- Physical and environmental security
- Supplier relationships
- System acquisition, development, and maintenance
For example, customers have a right to access and delete their data. A company can only process data for a purpose the customer approved. They cannot use the data for marketing and advertising.
Additionally, cloud service providers must handle PII in a specific way when:
- Transmitting over public networks
- Storing on mobile devices
- Recovering data
- Restoring data
Cloud service providers and their staff must also sign a confidentiality agreement or non-disclosure agreement (NDA). Employees who process PII need specialised training. If you use a subprocessor, your customers need to know before signing a contract.
Policies should be in place for disposing of data your organisation is no longer using.
If there is a data breach, customers have the right to know immediately. The provider is responsible for keeping a record of the incident and guiding their customers to comply with security obligations.
You can learn more about the controls by speaking with an experienced data compliance company.
Benefits of ISO 27018 Compliance
Being compliant with ISO 27018 offers several advantages to organisations. Let's review the top benefits your business will experience.
Improved Customer Confidence
According to McKinsey, in 2020, 87% of survey respondents said they would not do business with a company if they had concerns about its security practices. As a result, customers need to trust that their cloud service provider can protect their data.
Being ISO 27018 compliant ensures that the company has a thorough understanding of handling and processing PII. Moreover, it demonstrates a commitment to protecting data. You can show that you follow the most comprehensive data controls.
An ISO 27001 certification is excellent for marketing purposes. But ISO 27018 compliance is the highest level of security you can offer customers. So from a security standpoint, following 27018 guidelines provides more to your business operations and customers.
Eventually, 27018 compliance will be industry standard, so it's worth getting compliant now. Although you won't receive a separate certification, being 27018 compliant will set you apart from competitors.
Enhanced Global Operations
ISO standards are global. When organisations follow these guidelines, they can participate in the worldwide marketplace. Signing international contracts is much easier and faster when both parties follow the same guidelines.
Of course, you'll always want to double-check the local laws of the country you want to do business. However, most countries use ISO standards or a similar framework for compliance.
Better Security and Legal Protection
Receiving an ISO 27001 certification and being 27018 compliant establishes a security baseline for any business that processes data in the cloud. In addition, the controls hold up against audits, customer probes, and government reviews.
These standards will help you reduce security risks and protect your business against charges of negligence or recklessness if a breach occurs.
Negligence charges can incur severe penalties. But businesses that show they have a risk-based framework and follow security controls can use that as evidence in a lawsuit. Unfortunately, breaches are always possible. By following 27018, you can reduce the likelihood of it happening and lessen the damages if it does.
For businesses that use cloud services, working with a certified company shows regulators you're taking essential steps to protect your users' data.
Streamlined Sales Processes
When IT sales agreements fail, it's often because of corporate security. Following 27018 compliance simplifies the information corporate security requires.
Instead of going through a long inquisition, the certified provider can have new customers review their Statement of Applicability (SoA). This statement is a list of their security controls and implementation. It will provide all the assurances the customer needs.
It saves both sides time and money.
Tackling Information Security with DataGuard
You may already have noticed that standards such as ISO 27018 are phrased in a very abstract manner and contain hardly any concrete requirements and recommendations for action. Their implementation therefore relies on industry-specific expert advice.
With our "Information Security as a Service" solution, we support you in setting up your Information Security Management System (ISMS) and prepare your business for an external ISO 27001 audit.
Book a demo today or browse our blog for additional articles on information security!