ISO 27018
(Cloud Security Management Systems)
ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
In particular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
ISO/IEC 27018:2014 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.
The guidelines in ISO/IEC 27018:2014 might also be relevant to organizations acting as PII controllers; however, PII controllers can be subject to additional PII protection legislation, regulations and obligations, not applying to PII processors. ISO/IEC 27018:2014 is not intended to cover such additional obligations.
Benefits of ISO 27018
- Greater stakeholder confidence. Compliance to ISO 27018 enables CSP’s to demonstrate they have implemented security controls to protect stakeholder confidential information in the cloud.
- Faster enablement of global operations. Because ISO 27018 provides common guidelines across different countries, it enables CSP’s to do business globally.
- Supply chain requirement. ISO 27018 certification, provides CSP’s with evidence demonstrating they have implemented procedures to protect PII, reducing the time taken negotiating for new business and providing a competitive edge.
- Greater legal protection. Certification to ISO 27018 guarantees a systematic approach to data protection helping CSP’s to address their data security risks and operate within the law.