"Even when clouds grow thick, the sun still pours its light earthward."
The poet Mark Nepo wasn’t speaking about cloud security when he wrote that, but it makes for a lyrical way to consider the landscape. As a cloud provider, you likely prioritize security, but that doesn’t mean that bad actors won’t continue to “pour their light earthward” toward hacking the information within.
Now that we are well immersed in the Digital Age, data privacy has become more of a concern for consumers than ever, and the onus is on organizations to reassure them. Though new privacy regulations and standards have popped up all over the globe, one option you do have falls under what might be a familiar umbrella—ISO 27018.
As an experienced ISO certification body that provides a variety of these services to organizations, we know that opting for one of these certifications is a significant investment. That’s why, in this article, we’ll go over the ISO 27018 standard and its security guidelines, as well as the benefits of attaching this certification to that for ISO 27001.
ISO 27018 may be the right kind of specific assurance your customers need—read on to find out.
What is ISO 27018?
It was back in July 2014 that the ISO and IEC inaugurated ISO 27018 into the 27000 family—the standard has since been revised twice, more recently in 2019. At its core, this standard outlines best practices for public cloud service providers (CSPs) on how to better protect personally identifiable information (PII) that it processes.
Some of the earliest adopters of ISO 27018 included some big names; however, any organization that processes PII in the public cloud can consider presently conforming to the guidelines within ISO 27018—that includes private, public, government, and nonprofit entities.
But do you really need to be certified? Here’s what CSPs need to know about ISO 27018:
- ISO 27018 is the first privacy-specific international standard for CSPs that provides a common set of security categories and controls that, when used in conjunction with the information security objectives and controls in ISO 27002, can be implemented by a public cloud computing service provider acting as a PII processor.
- It provides commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO 29100.
- The standard is constructed to augment ISO 27002 through both:
- Implementation guidance applicable to public cloud PII protection for certain existing ISO 27002 controls; and
- Additional control set and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO 27002 control set.
- For the reasons above, ISO 27001 certification is a pre-requisite as ISO 27018 serves as a sector-specific extension standard to your existing ISO 27001 certification.
- However, this implementation guidance and additional control set are just added within the control set supporting your ISMS as noted in your statement of applicability and other supporting documents—no further management system requirements are within ISO 27018.
- The standard is considered very applicable to organizations that provide information processing services as PII processors via cloud computing.
(While it can also be relevant for PII controllers, these kinds of organizations may also be subject to additional PII protection legislation, regulations, and obligations that are not covered in ISO 27018).
Key Guidelines of ISO 27018
So what would you need to do in order to conform to this standard?
ISO 27018 outlines several key guidelines you can follow/include in your control framework to demonstrate conformance to the standard. These include:
- Not using PII for marketing or advertising purposes unless your customer(s) consent to such use. Essentially, the customer retains control over their data while you are restricted to processing PII only as per their instructions.
- Handling PII in a specific manner when transmitting over public networks, storing on mobile devices, or recovering or restoring data. The CSP (and relevant staff) must also sign a confidentiality agreement and provide specialized training for employees who will be directly processing PII.
- Notifying your customers promptly if a data breach occurs, maintaining a clear record of the incident, and assisting customers in remaining compliant with their own security obligations.
- Disclosing the names of any sub-processors—and any location information about where PII may be processed—before a contract is signed. If the provider changes sub-processors mid-contract, it must also notify the customer(s) and provide the customer with the right to object to the change or terminate the contract.
While this list isn’t exhaustive insofar as all the requirements for certification, it does demonstrate ISO 27018’s overarching concerns with the use of PII and related disclosure and notifications.
4 Benefits of ISO 27018 Certification
At this point, the question now becomes: why should you invest in the pursuit of this certification? In fact, there are several benefits to including ISO 27018 in your compliance framework. The most obvious include:
1. Increased Customer Confidence
To begin with, customers will feel more assured in trusting a CSP that can demonstrate third-party validation of market-specific best practices. If you conform to the ISO 27018 standard and hold the proof in certification, your customers will know you have a deep understanding of how to safely handle PII that you process on their behalf and that you’re dedicated to protecting their data, which helps in differentiating your brand from competitors.
2. Streamlined Global Operations
Because ISO 27018 guidelines are universal and apply to other countries in addition to the United States, conformance will make it easier for you to participate in the global marketplace and for your customers to sign international contracts.
3. Quicker Contract Process
It’s not uncommon for a customer to ask a CSP to answer several questions about its standard practice for handling PII. But through your conformance to ISO 27018, many of these questions can be addressed through your deliverable, saving you time when bringing a new client on.
There’s also the issue of cyber insurance. Though it’s often necessary to cover the cost of a data breach or other privacy violation, it’s expensive, lacks a standard, and the complications can derail the contract process—fast. But cyber insurance companies prefer to see security credentials, like ISO 27018, and their terms and conditions reflect it, so certification by such a standard can ease these processes as well.
4. Less of a Lift for Organizations Compared to ISO 27701
ISO 27018 may have been the first, but with the introduction of ISO 27701 in 2019, organizations now have two sector-specific ISO standards for privacy to enhance their existing ISO 27001 certification/ISMS.
And while ISO 27701 has seen increased adoption and gained a lot of popularity since it was first released, it is a management system standard, meaning that it contains the requirements for organizations to implement a privacy information management system, or a PIMS, in addition to the control implementation guidance and additional control sets for either a PII processor, controller, or both.
That’s no small lift, meeting these enhanced requirements of ISO 27701 and building out a PIMS. But organizations who don’t want to implement a management system-based standard and rather are only concerned with demonstrating the controls they have in place to protect the PII they process in the public cloud may opt for ISO 27018.
Next Steps for Your ISO 27018
The ISO 27018 standard was originally introduced to help fill a global compliance gap, and as we’ve just laid out, there are important benefits to reap should you choose to incorporate it into your framework. Even still, you may still need to factor in potential costs, implementation timeline, and maintenance requirements before committing, which is understandable.
Moreover, there are more privacy compliance standards out there as well that may fit in better with your needs, including an entirely separate ISO standard in 27701, as referenced above. To find out more about these, read our other content that breaks down their pros, cons, and benefits:
- ISO 27018 vs. ISO 27701
- Expanding Beyond Your ISO 27001? ISO 27018 and 27701 Differences
- What are the Benefits of an APEC CBPR/PRP Certification?
- Should You Include Privacy as a Trust Service Category In Your SOC 2?
Privacy will only become more and more critical as the business landscape continues to digitalize, and prolonging any action to protect data puts you and your customers at risk—“the sun still pours its light,” after all. So, if you have any questions—about ISO 27018 or other privacy standards—please feel free to contact our dedicated privacy team who would be happy to help you address your concerns.
About JORDAN HICKS
Jordan Hicks is the Manager of Content at Schellman. As the owner of content marketing initiatives across all digital platforms and formats, she is responsible for the ideation of content, the authoring and development of the content, as well as developing and managing the editorial calendar to ensure the marketing goals are met as it relates to content.