Understanding ISO 27018:2020ISO 27018 is the code of practice for the protection of personally identifiable information (PII) in public clouds. We're going to explore what it means for both providers and customers.
What is ISO 27018?
ISO 27018 does two things:
- Gives further helpful implementation guidance (adding to ISO 27002) for the controls published in ISO/IEC 27001
- Sets out extra guidance on PII protection requirements for the public cloud
These extra controls aren’t covered in ISO 27002.
What are ISO 27018’s objectives?
ISO 27018 gives generic agreed guidance on information security categories. The standard targets public cloud services providers that act as PII processors.
Its key objectives are to:
- Help the public cloud PII processor meet their obligations, including when they’re under contract to provide public cloud services
- Enable transparency, so prospective cloud service customers can access secure, well managed cloud-based PII processing services
- Help cloud services and users establish contractual agreements for processing PII
- Give cloud service customers an audit and compliance methodology
Why is securing Personally Identifiable Information important?
According to IBM Security’s 2020 Data Breach Report, 80% of all data breaches involve PII. Securing PII covers a range of measures, some of which you’ll already be familiar with. These include:
- Minimising data collection and retention
- Adopting a secure data destruction schedule
- Data encryption for both storage and transmission
- Limiting access to data
- Employee training
- Compliance with relevant regulations
- Implementing an information governance strategy
The UK’s Information Commissioner’s Office (ICO) gives full guidance on what counts as PII. You can read it here.
What is Personally Identifiable Information?
Can you identify who someone is from the data they give you? If you can, that’s Personally Identifiable Information. By definition, PII is information that could link back to identify an individual. PII can include:
- A person’s name
- Their date of birth
- Where they live
- Their IP address
- Bank details
- Medical records
- And much more
Why should you process PII via the cloud?
But cloud data storage can be risky. You need to be confident that a cloud provider has the best controls in place to keep your information secure. If you’re a cloud provider, you’ll need to show your customers you have excellent security controls in place.
ISO 27018 classes cloud service providers as processors when they process your organisation’s personal data. Your organisation stays classed as the data controller even when a cloud service provider processes your data for you. Both processors and data controllers have legal responsibilities for PII protection.
What’s the history of ISO/IEC 27018:2020?
The information security management environment is rapidly evolving. The technical Standard ISO/IEC 27001 doesn’t address PII. So ISO created a new, complimentary standard in 2014, ISO 27018. The new standard addresses concerns about companies processing personal data in cloud service providers. ISO/IEC 27018:2020 is the third version of the 2014 document.
What changed from ISO/IEC 27018:2019 to 27018:2020?
ISO/IEC 27018:2020 is the latest version of ISO 27018. The differences between ISO 27018:2019 and ISO 27018:2020 are essentially technical. For all practical purposes, you can treat the 2019 and 2020 versions of ISO 27018 as being identical.
What changed from ISO/IEC 27018:2014 to 27018:2019?
The 2019 version of ISO 27018 contained only minor revisions from the 2014 version. The new version of ISO 27018:
- Added a general background section
- Defined it as a document not an international standard
Defining ISO 27018 as a document not a standard is more technically accurate, because the agreed standard for information management security systems (ISMS) is ISO 27001.
ISO has withdrawn ISO/IEC 27018:2014.
What’s ISO 27018’s relationship with other standards?
ISO 27018 is one of the ISO 27000 family of information security management standards. The ISO 27000 standards provide an internationally recognised infosec framework.
How does ISO 27018 relate to ISO 27001?
ISO 27001 sets out the technical requirements for establishing an ISMS. Compliance with ISO 27001 is the foundation standard for data security. ISO 27018 adds guidance on cloud service data protection to ISO 27001.
Rather than choosing between ISO 27001 or 27018, think about implementing them together. ISO 27001 is the best framework for creating an ISMS that focuses on risk management. ISO 27018 adds guidance for achieving robust security in the cloud.
How does ISO 27018 relate to ISO 27701?
ISO 27701 covers privacy information management, setting out requirements and guidance for implementing a privacy information management system (PIMS). The standard also gives guidance for PII controllers and processors, including implementation advice depending on:
- Your location
- Any national legislation or regulations
ISO 27701 maps to ISO 27018 and the EU GDPR legislation. It’s an extension of ISO 27001, the foundation standard for data security.
How does ISO 27018 relate to GDPR?
If your organisation works in the European Union, you must comply with and so should be aware of GDPR (General Data Protection Regulation). It’s an EU law (and UK, post-Brexit) that governs the processing of personal data. GDPR doesn’t only apply to EU countries. The law also applies to any organisation that provides goods or services into the EU.
GDPR and ISO 27018 serve slightly different functions. GDPR sets out data privacy and protection regulations. ISO 27018 gives you a practical framework to manage data protection and information security risks. Implementing ISO 27001, in conjunction with 27018, gives you a solid foundation for GDPR compliance.
Which other guidelines complement ISO 27018?
ISO 27018 links to ISO/IEC 29100. ISO 29100 provides:
- Privacy principles for the public cloud environment
- A general framework for protecting PII within an ICT system
ISO 29100 links to ISO 27018 by:
- Helping you to define PII privacy requirements
- Explaining the different roles in processing PII
ISO 29100 also establishes key privacy principles and terminology.
What are the benefits of ISO 27018?
ISO 27018 is particularly helpful for cloud service clients. It supports auditing for compliance against internal responsibilities. This is especially helpful when the data processor is a third-party cloud provider.
Other benefits of ISO 27018 are that it:
- Reduces the risks of data breaches in the cloud and related regulatory fines
- Inspires trust in your organisation
- Clients and customers will know that you’re ser protecting their personal data.
- Protects your brand reputation
Who can implement ISO 27018?
This standard is relevant for many types of organisation. Whether you’re:
- private, public or not-for-profit sector
- a large, medium or small company
if you process PII data via cloud computing, ISO 27018 is for you.
If you contract out PII to another company, due diligence will show if they work with ISO/IEC 27018. Any service provider that uses the cloud or PII should consider ISO 27018.
Most well-known cloud service providers are developing or have developed security measures to protect PII. Major industry players that already have ISO/IEC 27018-compliant policies include:
- Amazon Web Services
- Google Apps for Work
- IBM Softlayer
- Microsoft Azure
How do I get started with ISO 27018?
There are three areas you should look at when thinking about implementing ISO 27018:
- Find out what existing regulations apply legally to your organisation
- Don’t forget to include requirements that apply to your specific industry
- See if implementing ISO 27018 could give rise to any additional organisational risks
- Understand how adopting ISO 27018 could change your company culture / policies
Note that these areas are also covered by ISO 27001. ISO 27018 focuses more deeply on PII and cloud computing services.
What’s good ISO 27018 practice?
When adopting ISO 27018, it’s good practice to start by understanding your starting point. It’s important to build on what’s already in place. You’ll also need to identify any gaps that may increase the risk of a data breach in the cloud. A rigorous self-assessment process will achieve these aims.
Once you’ve established your starting point, invest in internal communications. Give your colleagues notice of any planned changes and involve them in discussions about why they’re needed. That will help you:
- Create workforce ownership
- Drive adoption of data protection controls and ISO 27018 measures
Can you get certification for ISO 27018?
ISO 27018 a code of practice, not a standard. ISO 27018 certification is generally included in the ISO 27001 audit process, if it’s included as an add-on to the ISMS.
To gain certification for an ISO standard, a competent auditor will conduct an audit. The auditor will check if the organisation meets the ISO criteria or if there are any gaps. This is known as a stage 1 audit.
After the audit, the organisation will have time to address any gaps in:
After a few weeks, the auditor will return for the stage 2 audit. This is a much longer and more in depth audit than stage 1. Your stage 2 audit will ensure that the ISMS is actually working as designed and implemented.
The awarding of ISO certification follows this visit providing the ISMS meets all criteria. The auditor will visit the organisation periodically (usually annually) to confirm your continued compliance. To maintain your ISO certified status you’ll need to pass your annual maintenance audits.
What are the requirements of ISO/IEC 27018:2020?
ISO/IEC 27018 extends the guidance for implementing security controls in ISO/IEC 27002. These controls divide the responsibilities for data protection into:
- Your responsibilities as the cloud service customer and data controller, even if you outsource data storage.
- Your cloud service provider’s responsibilities as the data processor
- PII encryption requirements during storage and transmission
- A secure deletion schedule for any no-longer-required PII
- A cloud service agreement that defines why PII processing takes place
- Robust cloud service provider assurances for information governance
You’ll also need an extra set of security controls. These align with the privacy principles set out in the ISO/IEC 29100 privacy framework. ISO/IEC 27018 allows cloud providers to prove that they know how to protect their customers PII.
What are ISO/IEC 27018:2020’s Annex A clauses?
Note that the list below is additional to controls defined in ISO 27001.
Clause 1: Scope
Clause 2: Normative references
Clause 3: Terms and definitions
Clause 4: Overview
4.1: Structure of this document
4.2: Control categories
Clause 5: Information security policies
5.1: Management direction for information security
Clause 6: Organization of information security
6.1: Internal organisation
6.2: Mobile devices and teleworking
Clause 7: Human resource security
7.1: Prior to employment
7.2: During employment
7.3: Termination and change of employment
Clause 8: Asset management
Clause 9: Access control
9.1: Business requirements of access control
9.2: User access management
9.3: User responsibilities
9.4: System and application access control
Clause 10: Cryptography
10.1: Cryptographic controls
Clause 11: Physical and environmental security
11.1: Secure areas
Clause 12: Operations security
12.1: Operational procedures and responsibilities
12.2: Protection from malware
12.4: Logging and monitoring
12.5: Control of operational software
12.6: Technical vulnerability management
12.7: Information systems audit considerations
13.1: Network security management
13.2: Information transfer
Clause 14: System acquisition, development and maintenance
Clause 15: Supplier relationships
Clause 16: Information security incident management
16.1: Management of information security incidents and improvements
Clause 17: Information security aspects of business continuity management
Clause 18: Compliance
18.1: Compliance with legal and contractual requirements
18.2: Information security reviews
What are ISO/IEC 27018:2020’s Annex A clauses?
Note that the list below is additional to controls defined in ISO 27001. Annex A Public cloud PII processor extended control set for PII protection.
2: Consent and choice
3: Purpose legitimacy and specification
4: Collection limitation
5: Data minimisation
6: Use, retention and disclosure limitation
7: Accuracy and quality
8: Openness, transparency and notice
9: Individual participation and access
11: Information security
12: Privacy compliance