ISO 27018: Everything you need to know

Experts say the global cloud computing market will grow to nearly $950 billion by 2026. Naturally, rules and protections are necessary for a massive industry that handles copious amounts of personal data. 

That's where ISO 27018 comes in. It's the first international standard specifically for data privacy in cloud computing. 

What is ISO 27018? 

ISO/IEC 27018 is an international information security standard for protecting personally identifiable information (PII).  

PII include but are not limited to: 

  • Full name 
  • Home address 
  • Email address 
  • Phone number 
  • ID number 
  • Passport number 
  • Fingerprints 
  • Handwriting 
  • Face 
  • Credit card number 
  • Digital identity 
  • Date of birth 

The standard particularly applies to cloud computing service providers who process PII for their customers. 

ISO 27018 is part of the ISO 27000 family of standards. This set of standards defines best practices for information security management. But experts custom-tailored ISO 27018 to specifically address cloud computing services. As a result, the guidelines help to reduce information security risks of PII in a public cloud. 

ISO 27018 concerning ISO 27001 and ISO 27002 

The International Organisation for Standardisation (ISO) and International Electrotechnical Commission (IEC) created ISO/IEC 27001 and ISO/IEC 27002 in 2013.  

ISO 27001 provides requirements for an information security management system (ISMS). It includes information on how to scope a strategy, design rules, and educate employees. There are 114 controls within ISO 27001. 

ISO 27002 expands on 27001 by providing knowledge on how to improve an ISMS. This includes rules for: 

  • Cyber security 
  • Information security 
  • Privacy protection 

However, there are more than a dozen standards in the ISO 27001 family, including ISO 27018. This family of standards allows organisations to manage the security of assets such as: 

  • Financial information 
  • Intellectual property 
  • Employee details 
  • Information entrusted by third parties 

ISO 27018 adds new guidelines, enhancements, and security controls to both standards. These aid cloud service providers in better managing data security risks distinctive to PII in cloud computing.  

Further, ISO 27018 is complementary to ISO 27017 and ISO 27701. These are standards on security control for cloud services and privacy information management.  

ISO 27018's Objectives 

There are several key objectives for the creation of ISO 27018. 

The first is to help public cloud PII processors meet their obligations. This includes when they are contractually obligated to provide public cloud services.  

Another objective is to allow for more transparency. Transparency enables prospective customers to access secure and well-managed cloud-based PII processing services.  

The standard also helps to establish contractual agreements for processing PII. Finally, ISO 27018 provide a methodology for compliance. 

ISO 27018: 2019 vs 2014  

The ISO and IEC launched ISO 27018 in 2014. Then, in 2019, ISO and IEC made minor revisions to the standard. 

The 2019 version rectifies an editorial error in Annex A from the 2014 version. The new version also no longer refers to ISO 27018 as a "standard" in the document. Instead, it uses the word "document." 

What is the significance of this?  

ISO 27018 is a set of guidelines and controls that enhance ISO 27001. It is not a standard for organisations to certify against. But, cloud service providers can get an ISO 27001 certification using 27018 guidelines if they process PII.  

There is not a standalone certification for ISO 27018. 

Getting an ISO 27018 Certification  

Due to the changes in the 2019 version, those who want an ISO 27018 certification need first to familiarise themselves withISO 27001 requirements.  

Any organisation of any size can gain ISO 27001 compliance. Once awarded, re-certification is required every three years.  

The certification process is two stages and usually takes a year to complete. Before beginning the accreditation process, your organisation must build a control framework.  

Stage One 

The first stage is an informal review of your ISMS. It allows auditors to become familiar with your organisation. 

The auditors will review your documentation and procedures.  

Stage Two 

The second stage is the formal compliance audit. 

Auditors will perform detailed tests of your ISMS against ISO 27001 requirements. If your organisation is also following 27018 compliance, they will test against these requirements too.  

If your ISMS passes, you'll receive the certification. The auditors will require regular surveillance audits to guarantee ongoing compliance. 

ISO 27018 Controls list 

There are specific controls which form the requirements for protecting PII. Annex A lists them in detail. They include: 

For example, customers have a right to access and delete their data. A company can only process data for a purpose the customer approved. They cannot use the data for marketing and advertising.  

Additionally, cloud service providers must handle PII in a specific way when: 

  • Transmitting over public networks 
  • Storing on mobile devices 
  • Recovering data 
  • Restoring data 

Cloud service providers and their staff must also sign a confidentiality agreement or non-disclosure agreement (NDA). Employees who process PII need specialised training. If you use a subprocessor, your customers need to know before signing a contract. 

Policies should be in place for disposing of data your organisation is no longer using. 

If there is a data breach, customers have the right to know immediately. The provider is responsible for keeping a record of the incident and guiding their customers to comply with security obligations. 

You can learn more about the controls by speaking with an experienced data compliance company. 

Benefits of ISO 27018 Compliance 

Being compliant with ISO 27018 offers several advantages to organisations. Let's review the top benefits your business will experience. 

Improved Customer Confidence 

According to McKinsey, in 2020, 87% of survey respondents said they would not do business with a company if they had concerns about its security practices. As a result, customers need to trust that their cloud service provider can protect their data.  

Being ISO 27018 compliant ensures that the company has a thorough understanding of handling and processing PII. Moreover, it demonstrates a commitment to protecting data. You can show that you follow the most comprehensive data controls. 

An ISO 27001 certification is excellent for marketing purposes. But ISO 27018 compliance is the highest level of security you can offer customers. So from a security standpoint, following 27018 guidelines provides more to your business operations and customers.  

Eventually, 27018 compliance will be industry standard, so it's worth getting compliant now. Although you won't receive a separate certification, being 27018 compliant will set you apart from competitors.   

Enhanced Global Operations 

ISO standards are global. When organisations follow these guidelines, they can participate in the worldwide marketplace. Signing international contracts is much easier and faster when both parties follow the same guidelines.  

Of course, you'll always want to double-check the local laws of the country you want to do business. However, most countries use ISO standards or a similar framework for compliance.  

For instance, many controls in 27018 are present in the General Data Protect Regulation (GDPR) that spans Europe. 

Better Security and Legal Protection  

Receiving an ISO 27001 certification and being 27018 compliant establishes a security baseline for any business that processes data in the cloud. In addition, the controls hold up against audits, customer probes, and government reviews.  

These standards will help you reduce security risks and protect your business against charges of negligence or recklessness if a breach occurs.  

Negligence charges can incur severe penalties. But businesses that show they have a risk-based framework and follow security controls can use that as evidence in a lawsuit. Unfortunately, breaches are always possible. By following 27018, you can reduce the likelihood of it happening and lessen the damages if it does. 

For businesses that use cloud services, working with a certified company shows regulators you're taking essential steps to protect your users' data.  

Streamlined Sales Processes 

When IT sales agreements fail, it's often because of corporate security. Following 27018 compliance simplifies the information corporate security requires.  

Instead of going through a long inquisition, the certified provider can have new customers review their Statement of Applicability (SoA). This statement is a list of their security controls and implementation. It will provide all the assurances the customer needs.  

It saves both sides time and money.  

Tackling Information Security with DataGuard 

You may already have noticed that standards such as ISO 27018 are phrased in a very abstract manner and contain hardly any concrete requirements and recommendations for action. Their implementation therefore relies on industry-specific expert advice. 

With our "Information Security as a Service" solution, we support you in setting up your Information Security Management System (ISMS) and prepare your business for an external ISO 27001 audit. 

Book a demo today or browse our blog for additional articles on information security!

Book an appointment

 

 

About the author

Get to know DataGuard

Simplify compliance

  • Streamline privacy, information security and compliance
  • Business advice - not legal jargon - from qualified experts
  • Time-saving technology to speed up repetitive tasks
  • Control your compliance budget with fair and transparent pricing

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • External data protection officer
  • Audit of your privacy status-quo
  • Ongoing GDPR support from a industry experts
  • Automate repetitive privacy tasks
  • Priority support during breaches and emergencies
  • Get a defensible GDPR position - fast!

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Prepare for ISO 27001 or TISAX®️®
  • Create missing assets, policies and documentation
  • Eye-level support from infosec experts
  • Staff security and phishing training
  • Get answers to your most pressing questions

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Proactive support
  • Create essential documents and policies
  • Staff compliance training
  • Advice from industry experts

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Get to know DataGuard

Simplify compliance

  • Comply with the EU Whistleblowing Directive
  • Centralised digital whistleblowing system
  • Fast implementation
  • Guidance from compliance experts
  • Transparent reporting

Bringing complete peace of mind to over 2,500 customers

Canon  Logo Contact Hyatt Logo Contact Holiday Inn  Logo Contact Unicef  Logo Contact Veganz Logo Contact Escada Logo Contact First Group Logo Contact TOCA Social Logo Contact Arri Logo Contact K Line  Logo Contact

Let's talk

Or call us now: +44 (0)20 3695-9373