ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud
Update 2015-12-01: This blog post was updated on the issue of certification.
If your company is delivering services in the cloud, you probably have more and more customers asking you how their personal data is protected. ISO 27001 is certainly a good way to do it; however, some enlightened customers might ask you for even more – compliance with ISO 27018, the standard that is specialized in personal data protection in the cloud.
By the way, there is another cloud security standard in the ISO 27k series – ISO 27017. This standard provides general security guidelines for cloud providers and cloud customers, but this standard is, at the time of writing this article, still in the FDIS status, which means the official version is still not published. Learn more here: ISO 27001 vs. ISO 27017 – Information security controls for cloud services.
What is ISO 27018?
ISO 27018 is fully called ISO/IEC 27018 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, and it focuses on protecting the personal data in the cloud.
ISO 27018 works in two ways: (1) it augments existing ISO 27002 controls (ISO 27002 provides a detailed explanation of ISO 27001 security controls) with specific items for cloud privacy, and (2) it provides completely new security controls for personal data.
Because of its popularity, some certification bodies are starting to issue certificates against ISO 27018 – it must be pointed out these are not regular certificates (since such certificates are possible only for management standards, and ISO 27018 is not such a standard) – it seems these certificates are issued as part of the wider ISO 27001 certification audit.
Additions to the existing ISO 27001/27002 controls
Let’s see first to what degree ISO 27018 suggests that existing controls should be augmented:
|ISO 27001/ISO 27002 control section||Level of additional items in ISO 27018|
|5 Information security policies||Moderate|
|6 Organization of information security||Low|
|7 Human resource security||Low|
|8 Asset management||Low|
|9 Access control||Low|
|11 Physical and environmental security||Low|
|12 Operations security||High|
|13 Communications security||Low|
|14 System acquisition, development and maintenance||Low|
|15 Supplier relationships||Low|
|16 Information security incident management||Moderate|
|17 Information security aspects of business continuity management||Low|
As you can see, ISO 27018 suggests the biggest additions in section 12 Operations security – this is mainly for the controls 12.1.4 Separation of development, testing and operational environments (when personal data is used for testing); 12.3.1 Information backup (multiple copies of data; procedures for the backup, recovery and erasure; providing information to the customer); and 12.4.1 Event logging (process for reviewing logs; recording changed privacy information; providing information to the customer).
Besides 12 Operations security, the additional items in other sections are surprisingly small.
New controls for cloud privacy
Annex A of ISO 27018 lists the following additional controls (that do not exist in ISO 27001/27002) that should be implemented in order to increase the level of protection of personal data in the cloud:
- Rights of the customer to access and delete the data
- Processing the data only for the purpose for which the customer has provided this data
- Not using the data for marketing and advertising
- Deletion of temporary files
- Notification to the customer in case of a request for data disclosure
- Recording all the disclosures of personal data
- Disclosing the information about all the sub-contractors used for processing the personal data
- Notification to the customer in case of a data breach
- Document management for cloud policies and procedures
- Policy for return, transfer and disposal of personal data
- Confidentiality agreements for individuals who can access personal data
- Restriction of printing the personal data
- Procedure for data restoration
- Authorization for taking the physical media off-site
- Restriction of usage of media that does not have encryption capability
- Encrypting data that is transmitted over public networks
- Destruction of printed media with personal data
- Usage of unique IDs for cloud customers
- Records of user access to the cloud
- Disabling the usage of expired user IDs
- Specifying the minimum security controls in contracts with customers and subcontractors
- Deletion of data in storage assigned to other customers
- Disclosing to the cloud customer in which countries will the data be stored
- Ensuring the data reaches the destination
All this is common sense, and I found it quite useful to have all these controls listed in a single document. Of course, ISO 27018 provides a detailed explanation for each of these bullets.
ISO 27001 or ISO 27018?
One client asked me recently whether they should go for ISO 27001 or ISO 27018 when operating a cloud service – I answered that this is both a marketing and a security question. From a marketing point of view, ISO 27001 is better because you will get a certificate that you can show to your clients; from a security point of view, ISO 27018 is much better because it provides detailed guidance.
However, the conclusion here is not to choose between the two standards, but to implement them together – ISO 27001 provides the best framework for the security management (with crucial emphasis on risk management), while ISO 27018 provides excellent cloud-specific security details. Simply start with ISO 27001 and add bits and pieces from ISO 27018 as you progress in your implementation project.