The International Organization for Standardization (ISO) has released a second edition to ISO 27018, its guidance for cloud service providers who process personally identifiable information (PII), which was initially released in 2014. As we know, the world of information technology and the protection of PII is an ever-evolving concern. We addressed how ISO 27018 interplays with other key regulations (such as the GDPR) here. Now with this new guidance set forth from ISO, it begs the question: is this a major or minor change?
The short answer is embedded in the foreword of Section 2: “This second edition cancels and replaces the first edition (ISO/IEC 27018:2014), of which it constitutes a minor revision. The main change compared to the previous edition is the correction of an editorial mistake in Annex A.”
What this translates to is that for most intents and purposes, the guidance set forth in ISO 27018 has remained largely unchanged, with some caveats. Of note:
1) Any references to ISO 27018 as an International Standard have been modified to reflect that this is now a “Document”.
This stems from the technicality that ISO 27018 is not a Standard that an organization can be certified against, but rather an additional subset of controls and guidance that augments an organization’s existing Information Security Management System, which would be certified against ISO 27001, the Information Security Management System Standard.
2) Minor updates to certain auxiliary verbs to more appropriately address the unique needs and requirements of organizations across different industries.
This does not reflect any sweeping changes to the intent and purpose of the controls from ISO 27018, but rather seems to be an attempt on ISO’s part to more simply present what an organization can be responsible for. This is evident when considering that most instances of “may” from the 2014 version have been updated to “can”. While there are many examples in the Document, one such instance occurs within the Annex A public cloud PII implementation guidance for the Policy on the Use of Cryptographic Controls (A.10.1.1) which states: “The public cloud PII processor should provide information to the cloud service customer regarding the circumstances in which it uses cryptography to protect the PII it processes. The public cloud PII processor should also provide information to the cloud service customer about any capabilities it provides that may can assist the cloud service customer in applying its own cryptographic protection.” A pedantic observation, but an observation nonetheless.
3) The addition of a “General” background section at the beginning of the Public Cloud Processor Extended Control Set for PII Protection (previously known as A1 – A11).
While no new controls are prescribed under this section, the addition of the General section technically constitutes its own section, which expands the control set to A1 – A12. The privacy principles (i.e. consent and choice, purpose legitimacy and specification, etc.) have remained the same and the underlying controls have generally remained in tact with no major updates, save for the principle mentioned in section 2 above. The exact verbiage from the General section was technically included in the previous edition of ISO 27018 but was not identified as its own section, the verbiage is included here: “This annex specifies new controls and associated implementation guidance which, in combination with the augmented controls and guidance in ISO/IEC 27002 (see Clauses 5 to 18), make up an extended control set to meet the requirements for PII protection which apply to public cloud service providers acting as PII processors. These additional controls are classified according to the 11 privacy principles of ISO/IEC 29100. In many cases, the controls can be classified under more than one of the privacy principles. In such cases they are classified under the most relevant principle.”
If you represent an entity that has achieved ISO 27001 certification with an ISMS aligned with the controls set forth by ISO 27018:2014, the above information should assuage any concerns that immediate sweeping changes would be necessary. Our team will be in contact with currently-certified entities and release additional guidance in the near-term if determined that such action is necessary.
For more information on ISO 27018, you can view our webinar on-demand: Privacy in the Cloud - an introduction to ISO 27018