Show me desktop version

The ISO 27001 & ISO 22301 Blog

ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud

Update 2015-12-01: This blog post was updated on the issue of certification.

If your company is delivering services in the cloud, you probably have more and more customers asking you how their personal data is protected. ISO 27001 is certainly a good way to do it; however, some enlightened customers might ask you for even more – compliance with ISO 27018, the standard that is specialized in personal data protection in the cloud.

By the way, there is another cloud security standard in the ISO 27k series – ISO 27017. This standard provides general security guidelines for cloud providers and cloud customers, but this standard is, at the time of writing this article, still in the FDIS status, which means the official version is still not published. Learn more here: ISO 27001 vs. ISO 27017 – Information security controls for cloud services.

What is ISO 27018?

blogpost-banner-27001-en

ISO 27018 is fully called ISO/IEC 27018 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, and it focuses on protecting the personal data in the cloud.

ISO 27018 works in two ways: (1) it augments existing ISO 27002 controls (ISO 27002 provides a detailed explanation of ISO 27001 security controls) with specific items for cloud privacy, and (2) it provides completely new security controls for personal data.

Because of its popularity, some certification bodies are starting to issue certificates against ISO 27018 – it must be pointed out these are not regular certificates (since such certificates are possible only for management standards, and ISO 27018 is not such a standard) – it seems these certificates are issued as part of the wider ISO 27001 certification audit.

Additions to the existing ISO 27001/27002 controls

Let’s see first to what degree ISO 27018 suggests that existing controls should be augmented:

ISO 27001/ISO 27002 control section Level of additional items in ISO 27018
5 Information security policies Moderate
6 Organization of information security Low
7 Human resource security Low
8 Asset management Low
9 Access control Low
10 Cryptography Low
11 Physical and environmental security Low
12 Operations security High
13 Communications security Low
14 System acquisition, development and maintenance Low
15 Supplier relationships Low
16 Information security incident management Moderate
17 Information security aspects of business continuity management Low
18 Compliance Moderate

As you can see, ISO 27018 suggests the biggest additions in section 12 Operations security – this is mainly for the controls 12.1.4 Separation of development, testing and operational environments (when personal data is used for testing); 12.3.1 Information backup (multiple copies of data; procedures for the backup, recovery and erasure; providing information to the customer); and 12.4.1 Event logging (process for reviewing logs; recording changed privacy information; providing information to the customer).

Besides 12 Operations security, the additional items in other sections are surprisingly small.

New controls for cloud privacy

Annex A of ISO 27018 lists the following additional controls (that do not exist in ISO 27001/27002) that should be implemented in order to increase the level of protection of personal data in the cloud:

  • Rights of the customer to access and delete the data
  • Processing the data only for the purpose for which the customer has provided this data
  • Not using the data for marketing and advertising
  • Deletion of temporary files
  • Notification to the customer in case of a request for data disclosure
  • Recording all the disclosures of personal data
  • Disclosing the information about all the sub-contractors used for processing the personal data
  • Notification to the customer in case of a data breach
  • Document management for cloud policies and procedures
  • Policy for return, transfer and disposal of personal data
  • Confidentiality agreements for individuals who can access personal data
  • Restriction of printing the personal data
  • Procedure for data restoration
  • Authorization for taking the physical media off-site
  • Restriction of usage of media that does not have encryption capability
  • Encrypting data that is transmitted over public networks
  • Destruction of printed media with personal data
  • Usage of unique IDs for cloud customers
  • Records of user access to the cloud
  • Disabling the usage of expired user IDs
  • Specifying the minimum security controls in contracts with customers and subcontractors
  • Deletion of data in storage assigned to other customers
  • Disclosing to the cloud customer in which countries will the data be stored
  • Ensuring the data reaches the destination

All this is common sense, and I found it quite useful to have all these controls listed in a single document. Of course, ISO 27018 provides a detailed explanation for each of these bullets.

ISO 27001 or ISO 27018?

One client asked me recently whether they should go for ISO 27001 or ISO 27018 when operating a cloud service – I answered that this is both a marketing and a security question. From a marketing point of view, ISO 27001 is better because you will get a certificate that you can show to your clients; from a security point of view, ISO 27018 is much better because it provides detailed guidance.

However, the conclusion here is not to choose between the two standards, but to implement them together – ISO 27001 provides the best framework for the security management (with crucial emphasis on risk management), while ISO 27018 provides excellent cloud-specific security details. Simply start with ISO 27001 and add bits and pieces from ISO 27018 as you progress in your implementation project.

Take a look at this free demo of ISO 27001 & ISO 27017 & ISO 27018 documentation to see how these standards can work with each other to protect personal data in the cloud.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

ISO 27001 & ISO 22301
Free Downloads

 

Upcoming free webinar
Implementing Business Impact Analysis according to ISO 22301
Wednesday - March 29, 2017
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933