Famed baseball player and possessor of a great name, Yogi Berra, once said, “When you come to a fork in the road, take it.”
Granted, he was likely being funny, but he obviously never had to pay for an ISO certification. When you're faced with a choice between which one—like that of ISO 27018 or ISO 27701—your budget may not agree with “taking” both roads, and nor is it necessary to do so.
What is necessary though, is to choose the right path forward for your organization. If you’re looking to provide assurances to customers regarding your safeguarding their personally identifiable information (PII), both ISO 27018 and ISO 27701 can do that, albeit in different ways. We’d know because we’ve performed certifications for both for years and we understand well the different advantages each presents.
So, to help inform your decision, this article will define both standards and their goals, as well as considerations to make as to one or the other. You might be faced with a fork in the road right now, but after reading you’ll be able to decisively take the right path.
Processors vs. Controllers
Before we get into these two privacy standards, let’s rewind back to the basics and define the two different types of organizations concerned with protecting privacy so that those new to privacy compliance understand what type they are:
Formal Definition: A natural legal person, public authority or agency, or any other body which processes the personal data on the behalf of a controller.
Formal Definition: A natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Given these dynamics, the controller bears more responsibility regarding privacy, though processors are obviously not off the hook. But the distinction between will become important as we get into the differences between ISO 27018 and ISO 27701.
What is ISO 27018?
ISO 27018 was most recently updated in 2019 and is intended as an extension to ISO 27001—in fact, 27001 is a prerequisite for this privacy certification. What was the first privacy-specific international standard for cloud providers, ISO 27018 contains extended controls and related implementation guidance that’s particularly helpful to processors of PII using cloud computing.
And while you must have an active ISO 27001 certification (or at least be in progress), it’s important to note that there are no management system requirements within ISO 27018. Rather, 27018 supplements the ISO/IEC 27001:2013 control set within Annex A with 25 extended controls unique to cloud service providers.
These unique controls are associated with the 11 privacy principles within ISO 29100 and address topics such as consent, choice, data minimization and retention, and disclosure limitation.
Early adopters of ISO 27018 included Dropbox and Microsoft, but any organization that processes PII in the public cloud can consider conforming to the guidelines within ISO 27018 to complement their current ISO 27001 certification—which includes private, public, government, and non-profit entities.
While ISO 27018 is specific to the processing of PII in the public cloud, the controls and guidance in the standard can also be relevant to PII controllers, but we should disclose that it’s possible this type of organization may also be subject to additional PII protection legislation, regulations, and obligations, which are not covered in ISO 27018.
What is ISO 27701?
That leads us to ISO 27701, which, like 27018, builds on 27001. But unlike ISO 27018, 27701 does have management system requirements—its objective is to help you flex in a Privacy Information Management System (PIMS) into your existing ISO 27001 information security management system (ISMS).
The good news is, that integrating the 27701 data privacy framework should be pretty straightforward if you’re familiar with ISO 27001 because it's largely based on those requirements and controls—there are just more controls specific to privacy that’ll need to be added. These are detailed within four clauses and Annex A & B:
- Clause 5: PIMS requirements for ISO/IEC 27001 compliance
- Clause 6: PIMS guidance for ISO/IEC 27002 (e.g., additional implementation guidance for ISO 27001 Annex A)
- Clause 7: PIMS guidance for PII Controllers
- Clause 8: PIMS guidance for PII Processors
- Annex A: PIMS-specific control objectives and controls for PII Controllers
- Annex B: PIMS-specific control objectives and controls for PII Processors
When standing up your PIMS alongside your ISMS, you’ll need to follow this guidance that will see you implement rigid, tactical controls for managing PII, including how this information is obtained, used, disclosed, and deleted. That will include creating documentation to support your policies, procedures, and activities regarding privacy.
You can choose which control sets are applicable to your scope, depending on how you classify yourself as an organization—Controller, Processor, or perhaps even both.
As with the ISMS for ISO 27001, 27701 requires you to not only establish a PIMS mechanism that addresses all those specific privacy controls but you’ll also be required to maintain and continually improve it as well.
ISO 27018 or ISO 27701?
Now that we’ve established how both of these standards address privacy protections, which certification is more suited to you? Here’s a direct side-by-side comparison:
PII Controllers, Processors, or organizations in or out of the cloud
No management system considerations, additional control set (25 controls)
Comprehensive PIMS management system and additional control set mean more preparation and ongoing effort (though your amount of controls depends on your role as PII processor, controller, or both)
It comes down to this:
- For PII Controllers, it makes sense to get ISO 27701 certified because you’ll be taking a systemic approach to privacy protection. Given the responsibility you bear, it makes sense to take advantage of the customization you’ll be able to do within the PIMS.
- For PII Processors, you’ll need to decide between just adding the 27018 control set to your ISO 27001 ISMS or if you also want to take that more comprehensive approach of 27701 / PIMS.
Next Steps for Your ISO Certification
ISO has become a gold standard to provide assurances regarding security postures, and ISO 27018 and ISO 27701 both represent very good options for additional privacy considerations. Though the latter supports a wider, international range of data protection and privacy legislation, the heavier lift of PIMS implementation may not suit your resources as much as ISO 27018’s control set with its control objectives and guidelines for protecting PII.
Now that you know a little bit about both of these options, maybe you’re thinking you might consider another privacy initiative altogether. If that’s true, be sure to read our content on two other ways to provide these assurances to your customers:
But we understand that this landscape, as ever-changing as it is, may still feel confusing. If that’s the case, we would encourage you to reach out to our dedicated team of privacy experts who would be more than happy to answer any specific questions you have.
About DANNY MANIMBO
Danny Manimbo is a Principal with Schellman based in Denver, Colorado. As a member of Schellman’s West Coast / Mountain region management team, Danny is primarily responsible for leading Schellman's AI and ISO practices as well as the development and oversight of Schellman's attestation services. Danny has been with Schellman for 10 years and has over 13 years of experience in providing data security audit and compliance services.