ISO 27018. Security and Protection of Personal Information in the Cloud

🕑 4 minutes read

In recent years technology has advanced exponentially, as is the case of storage in cloud which offers multiple benefits related to speed of access to information from any point with a significant technological saving.

This management model offered by different suppliers at an international level has as a counterpart the concern about data protection and their privacy regarding personally identifiable information (PII), understanding this information not only as the name of an interested party but those data related to their person, such as bank details, doctors, IP addresses, among others.

The management model in the cloud can present some difficulties as identifying where the information is hosted, the protection measures applied in communication networks or how these organizations manage personally identifiable information of data subjects that is housed in their information systems.

As a result of this concern, International Organization for Standardization (ISO) updated in January 2019, the standard related to information security, specifically the ISO 27018, in order to develop processes that cover cloud service providers, allowing them to certify to their customers that their rights are guaranteed based on the consents obtained.

What does ISO 27018 specifically propose?

ISO 27018 intends, in general terms, to identify accurately how the supplier manages the personal data of data subjects, establishes the necessary procedures for any request or access to the same methods, thus offering to the clients a total transparency.

ISO 27018 provides a guide of best practices for the protection of personally identifiable information (PII) in the cloud for organizations that act as processors of this information.”

Its implementation is linked to the ISO 27001 standard, which acts as basis for specifying the standard requirements. In this sense, ISO 27018 is divided into two main blocks of performance:

  • Statement of Applicability Controls: Based on the security controls established in Annex A of ISO 27001 or in the code of best practices ISO 27002, the standard adds security requirements for Personally Identifiable Information (PII) about specific controlsIn this sense, out of the 114 controls proposed by Information Security standard, ISO 27018 establishes additional requirements on 15 controls, distributed among following clauses:
    • Domain 5: Information Security Policies
    • Domain 6: Information Security Organization
    • Domain 7: Human Resources Security
    • Domain 9: Access Control
    • Domain 10: Cryptography
    • Domain 11: Physical and environmental safety
    • Domain 12: Operations security
    • Domain 13: Communications security
    • Domain 16: Incident Management
    • Domain 18: Compliance

What does Annex A of ISO 27018 define?

The 8 specific principles or controls of information privacy, applicable to the data manager in the cloud and how to implement them, which forms a set of requirements for the protection of PII. The principles in which it is based on are the following:

    • Consent and choice
    • Purpose of legitimacy and specification
    • Data minimisation
    • Limit of use, retention and disclosure
    • Opening, transparency and notification
    • Responsibility
    • Information Security
    • Privacy compliance

The implementation of the standard brings great benefits to data processors in the cloud, even more so with the certification ISO 27018, which is only certifiable jointly with ISO 27001. Among the benefits we can highlight the following:

  • It provides confidence in the protection of information from customers and stakeholders, protecting the image of the organization from access or data breach.
  • It allows you to identify the risks to which information is exposed (PII) by establishing controls for mitigation.
  • Differentiation from competitors in the same sector, providing protection to information under an international standard.
  • Protection against multan, providing a management system that protects the information of interested parties.

Finally, it should be noted that GlobalSuite® allows an effective implementation of the ISO 27018 standard by being fully adapted to the requirements identified in this article, not only for companies that are certified in ISO 27001, but also those that decide to address the implementation of both standards.