Site icon

What Is ISO 27018 and How Does it Apply to Cloud Providers?

ISO/IEC 27018 establishes commonly accepted control objectives to protect Personally Identifiable Information (PII) in line with the privacy principles in ISO/IEC 29100 for cloud providers offering public infrastructure and services. It is a critical document for these providers seeking to instill the trustworthiness of their systems in their customers and clients. Learn more about ISO 27018 and what it takes to get your cloud infrastructure up to speed.

 

Cloud Providers and Personal Identifiable Information (PII)

One of the primary challenges that cloud providers face is handling user data. Because cloud systems are predicated on storing information for hundreds or even thousands of customers, often private data that must be protected. 

Once a particular and common form of private data is Personal Identifiable Information or PII. PII is information that, as the name suggests, could potentially lead to the identification of a user–a use case that, in almost all cases, is prohibited. Therefore, most regulations and security frameworks include requirements applying to users’ privacy through the protection of PII. 

PII can include a user’s name, address, phone number, social security number, unique ID number, or any other information that, either on its own or in combination with other pieces of information, can lead to someone determining that user’s identity.

Cloud providers are often charged with handling these types of information–which means that they will also be in charge of the security infrastructure around this information (and, subsequently, the privacy of their customers and employees.

Following that, there are two general approaches that these providers can or must take to protect PII:

In the latter case (and, specifically, ISO), these providers will obtain certification based on their specific offerings. For cloud providers, this is the ISO 27018 standard

 

What Are the Objectives of ISO 27018?

The core reasoning behind ISO 27018 is to provide clear guidance for implementing security and privacy controls in cloud infrastructure. Specifically, these standards apply to CSPs that store or process PII for clients, such that this information remains private and secure. 

Following that, the standard lays out a set of objectives that CSPs must meet so that the organization may display the certification seal from ISO, verified through accurate audits and reporting. 

Note that these standards are primarily derived from ISO/IEC 27002, “Information security, cybersecurity, and privacy protection,” and are organized to benefit cloud service providers specifically.

Information Security Policies

Any cloud provider processing PII must have security policies demonstrating the practices and processes the CSP uses to support compliance and contractual obligations. This means that the responsibilities of the CSP must be clearly defined in client/partner agreements such that the use of services and infrastructure are delineated between those that process PII and those that do not. 

 

Organization

CSPs must deploy specific organizational policies and roles to support their cloud security efforts. These specific responsibilities include:

 

Human Resources

Often, insider threats are some of the most dangerous vulnerabilities an IT company can face. Cloud providers, therefore, must approach personnel security with an eye toward ensuring that employees are well-known and that they only have access to specific systems.

 

Asset Management

A cloud provider must implement processes to inventory all assets, including PII, processing infrastructure, and devices. This includes maintaining a record of ownership for those assets, how those assets may or may not be used, and how those assets are checked out/assigned, returned, and disposed of. 

 

Access Control

Simply put, the CSP must maintain appropriate controls to ensure that only authorized users access the resources they need to perform their tasks. This can include public-facing access for users and owners of PII and work-related tasks.

 

System and Application Access Control

The cornerstone of any good form of security is front-end interface control, including strong authentication and identity verification.

 

Cryptography

The CSP must have policies in place to use cryptography to obfuscate data at rest and during transmission. This requirement also includes having secure key management practices in place, including management of issuing and revoking keys, secure storing keys, and destroying keys.

 

Environmental Security

Environmental security refers to the security and protection measures to lock down physical spaces where computing and data resources are located.

 

Operations

Larger security issues must be addressed at the organizational level–that is, at the level of operations. This includes implementing large-scale policies based on the needs of the organization.

 

Communications Security

Cloud service providers have technology and security measures to protect network communications, specifically sending PII or other sensitive messages across internal or public networks. This security requirement also includes specifics on non-disclosure agreements or receiving permission to share data via specific technologies (like email). 

 

Incident Management

The CSP must have policies and plans to identify, respond to, and remediate incidents as they occur. This includes training and professional development for any employees tasked with incident response.

 

Get Ready for ISO 27018 Certification with Lazarus Alliance

Cloud providers who want to guarantee their PII processing security will, sooner or later, rub up against certification with ISO 27018. This massive document draws from other requirements in the ISO 27000 series–that means having a deep knowledge of the expectations of the standard both now and as it changes in the future. 

If you’re ready to jump into ISO 27018, work with experts who have managed clients through the certification process for years. Work with Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version