Strengthening data protection in the public cloud - the ISO 27018 standard perspective

As companies increasingly migrate their data to cloud environments, information security has become a critical concern. The protection of personally identifiable information (PII) stands out as particularly vital—not only to meet legal requirements but also to maintain customer trust. ISO 27018 emerged specifically to address these challenges. Let's explore how this standard helps cloud service providers (CSPs) deliver robust protection for sensitive information entrusted to their care.

What is ISO 27018?

ISO/IEC 27018 represents the first international standard specifically designed to protect personal data in public cloud environments. First published in 2014 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), with a subsequent update in 2019, this standard has become increasingly important for organizations handling sensitive data. The changes to ISO 27018 are under development - ISO/IEC FDIS 27018 are waiting for approval. 

At its core, ISO 27018 establishes "commonly accepted control objectives, controls, and guidelines for implementing measures to protect personal data" for cloud service providers. Importantly, rather than functioning as a standalone certification standard, ISO 27018 serves as an extension of ISO 27001, introducing specialized controls for safeguarding PII in cloud environments.

The personal data protected under ISO 27018 encompasses a wide range of information, including full names, residential addresses, email addresses, phone numbers, identification numbers (ID cards, passports), biometric data (fingerprints, facial recognition data), credit card information, digital identities, and birth dates.

How ISO 27018 relates to other security standards

ISO 27018 doesn't exist in isolation but forms part of the broader ISO 27000 family of standards that establish best practices for information security management. Understanding these relationships provides valuable context:

ISO 27001 delivers the foundational requirements for an information security management system (ISMS) and includes 93 controls that provide the basis for ISO 27018. Meanwhile, ISO 27002 builds upon ISO 27001 by offering guidance on enhancing ISMS implementations, particularly regarding cybersecurity and privacy protection principles. The framework is further complemented by ISO 27017, which focuses specifically on security controls for cloud services, and ISO 27701, which addresses privacy information management.

Within this ecosystem, ISO 27018 enhances these standards with additional guidelines and security controls that specifically target the unique challenges associated with protecting personal data in public cloud environments.

Key objectives and requirements

ISO 27018 fulfills several essential objectives: supporting public cloud PII processors in meeting their obligations, enhancing transparency to help potential customers access secure cloud-based PII processing services, facilitating the creation of personal data processing agreements, and providing a comprehensive compliance methodology.

The implementation requirements span several critical areas. First, organizations must develop protocols for securely erasing PII when it's no longer needed. Additionally, they must establish robust standards for encrypting PII during both storage and transmission. Furthermore, cloud service agreements must clearly specify the purpose of processing PII. Finally, providers must offer credible guarantees regarding information management practices for their cloud services.

Essential controls under ISO 27018

ISO 27018 introduces specific controls that create a comprehensive framework for personal data protection. Given their diversity and importance to a clear understanding of the standard, the most significant controls include:

• Access control - limiting data access exclusively to authorized personnel

• Asset management - identifying, inventorying, and protecting information assets

• Business continuity management - ensuring service availability during disruptions

• Communications security - safeguarding information during transmission

• Compliance - adhering to regulations and contractual obligations

• Cryptography - implementing encryption techniques to protect data confidentiality and integrity

• Human resource security - providing training and building staff awareness

• Incident management - enabling detection, reporting, and response to security incidents

• Operations security - ensuring proper functioning of information processing systems

• Physical and environmental security - protecting equipment and infrastructure

Within this framework, customers retain the right to access and delete their data. Crucially, companies may only process data for customer-approved purposes and cannot repurpose it for marketing activities without explicit consent.

The certification process

Obtaining ISO 27018 certification requires first securing an ISO 27001 certificate. The process unfolds in two distinct phases, beginning with an informal assessment of the organization's information security management system (ISMS). During this initial stage, auditors familiarize themselves with the organization while reviewing its documentation and procedures.

The second phase involves a formal compliance audit, during which the ISMS undergoes detailed testing against ISO 27001 requirements and, where applicable, the additional requirements of ISO 27018.

Typically, the entire certification process takes approximately one year to complete, with recertification required every three years. Throughout this period, auditors conduct regular surveillance audits to verify ongoing compliance with the standard's requirements.

Benefits of ISO 27018 implementation

Implementing ISO 27018 delivers tangible advantages for both cloud service providers and their customers:

• Enhanced customer trust - ISO 27001 certification with ISO 27018 guidelines demonstrates a thorough understanding of secure personal data processing principles and shows active engagement in data protection.

• Streamlined global operations - As part of a globally recognized standard, ISO 27018 facilitates international business activities. International contracts become easier to negotiate when both parties follow identical guidelines. Additionally, many ISO 27018 controls align with GDPR requirements, further simplifying operations in European markets.

• Strengthened security and legal protection - Certification establishes a foundational security level for cloud data processors. In the event of a data breach, having implemented ISO 27018 controls and maintained certification can protect companies against negligence claims.

• More efficient sales processes - IT industry sales agreements frequently encounter roadblocks related to corporate security concerns. ISO 27018 compliance simplifies the process of providing security departments with required information. Rather than navigating lengthy verification procedures, certified providers can simply present potential clients with their Statement of Applicability (SoA).

• Reduced burden compared to ISO 27701 - While ISO 27701 has gained traction as a privacy standard, it requires implementing a privacy information management system (PIMS), creating significant organizational demands. For companies seeking to demonstrate public cloud personal data protection controls without implementing a management system-based standard, ISO 27018 offers a more manageable alternative.

Conclusion

ISO 27018 provides a comprehensive response to the challenges of protecting personal data in public cloud environments. As an extension of the ISO 27001 standard, it offers specific controls and guidelines that help cloud service providers ensure the security of processed data.

In today's landscape of increasing privacy concerns and stricter regulatory requirements, ISO 27018 compliance represents a significant competitive advantage. Although implementation requires financial investment and organizational effort, the benefits substantially outweigh these initial costs. Improved customer confidence, streamlined sales and global operations, and enhanced legal protection represent just a few of these advantages.

As cloud computing continues its expansion, ISO 27018 compliance will likely become increasingly demanded by customers seeking reliable cloud service providers. Organizations that adopt this standard early gain a competitive edge in this rapidly evolving market while building enduring customer relationships founded on trust and security.