ISO/IEC 27018:2019 – Guidelines for Managing PII in Public Cloud Services

Key Definitions

• Personally Identifiable Information (PII): Any data that can be used to identify an individual, such as names, contact details, social security numbers, and other personal identifiers.
• Cloud Service Provider (CSP): A company or organization that provides cloud services, including infrastructure, platforms, and software, to customers.
• PII Processor: An organization that processes personal data on behalf of another organization, often as part of a cloud service arrangement.
• Data Controller: The organization or entity that determines the purposes and means of processing personal data.
• Data Processor: An organization or entity that processes personal data on behalf of a data controller, typically in accordance with the controller’s instructions.

Clause-wise structure of ISO/IEC 27018:2019

What are the requirements of ISO/IEC 27018:2019?

ISO/IEC 27018:2019 provides specific requirements that organizations must adhere to when processing PII in the cloud. These include guidelines for ensuring the security, privacy, and compliance of PII handling practices. Key requirements include:

• Organizations must ensure that they process PII only on the basis of the customer’s consent or another legal basis, as required by applicable data protection laws.
• Organizations should collect and process only the PII that is necessary for the specific purposes for which it was collected.
• Strong access controls must be implemented to ensure that only authorized personnel can access PII.
• Data at rest and in transit must be encrypted to ensure its confidentiality and integrity.
• Organizations must have processes in place to detect and report data breaches involving PII within a specified time frame.
• Cloud service providers must ensure that sub processors (third-party service providers) involved in the processing of PII also comply with ISO/IEC 27018 and similar privacy protection measures.

For more information, contact us at support@pacificcert.com.

ISO/IEC 27018 Certification: Audit Checklist

1. Have cloud roles and responsibilities between the provider and customer been clearly defined and documented?
2. Is virtual machine configuration securely managed and isolated in multi-tenant cloud environments?
3. Are procedures in place for the secure return, deletion, or migration of customer assets after contract termination?
4. Is administrative access by cloud service customers properly controlled and monitored by the provider?
5. Are cloud-specific security requirements addressed in the service agreement (data location, jurisdiction etc.)?
6. Is customer activity within the cloud environment logged, monitored, and reviewed for anomalies?
7. Are customers informed of any changes that may affect cloud service security controls or SLAs?
8. Are measures implemented to segregate and protect customer data in shared infrastructure setups?
9. Is there a documented process for handling cloud-specific incidents and notifying affected parties?

What are the benefits of ISO/IEC 27018 Certification?

ISO/IEC 27018 certification shows that organizations prioritize the protection of personal data and helps build trust with customers. The benefits of certification include:

• Certification ensures that PII is handled in a secure and compliant manner, reducing the risk of data breaches.
• Certification upgrades credibility by demonstrating that the organization follows strict privacy and security standards.
• Certification helps organizations meet the requirements of data protection laws such as the GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act).
• Organizations with ISO/IEC 27018 certification differentiate themselves in the marketplace, offering privacy-conscious cloud services.

As privacy concerns and data protection regulations continue to evolve, the demand for ISO/IEC certification is expected to rise significantly in the recent years. Organizations will increasingly prioritize secure cloud services that protect PII and ensure compliance with global data protection laws. Cloud service providers that adopt ISO/IEC will gain a competitive edge by offering customers transparent and secure data processing practices.

Certification Process

The certification process for ISO/IEC 27018 typically includes the following steps:

1. Pre-Certification Assessment: Conducting a gap analysis to identify areas for improvement in the organization’s PII processing practices.
2. Documentation Review: Reviewing the organization’s policies, procedures, and documentation to ensure they meet ISO/IEC requirements.
3. Stage 1 Audit: A preliminary audit to assess readiness for certification and identify potential issues in PII processing.
4. Stage 2 Audit: A comprehensive on-site audit to evaluate the implementation of security and privacy controls in cloud services.
5. Certification Decision: Certification is awarded once the organization meets all requirements.
6. Ongoing Monitoring: Regular surveillance audits to ensure continued compliance with ISO/IEC 27018.

Timeline for ISO/IEC 27018 Certification

The timeline for ISO/IEC 27018 certification generally spans several months. The pre-assessment and preparation phase takes 1-2 months, during which the organization reviews its current security practices. The Stage 1 audit usually lasts about 1 month. The Stage 2 audit, which involves a more overreaching evaluation, takes 1-2 months. Certification issuance occurs within 3-6 months, depending on audit findings and the organization’s readiness.

What is the Cost of ISO/IEC 27018:2019?

The cost of ISO/IEC 27018 certification varies depending on several factors, including the size of the organization, the complexity of its cloud services, and the number of locations involved.

Audit Fee is the Fee for the certification body’s audit process. Training costs are the costs for educating staff on ISO/IEC certification and the necessary processes for compliance. Ongoing maintenance are the costs for regular audits and recertification required every 3 years.

How Pacific Certifications Can Help?

At Pacific Certifications, we provide comprehensive auditing and certification services for ISO/IEC 27018. Our team will guide you through the entire certification process, ensuring that your organization meets the highest standards for data protection in cloud services. Our services include:

• Stage 1 and Stage 2 audits to evaluate privacy and security controls.
• Objective conformity assessments based on ISO/IEC certification.
• Certification issuance upon successful completion of the audit.
• Ongoing surveillance audits to ensure continued compliance.
• Support for multi-site or global operations.

For audits and certification, contact support@pacificcert.com.

ISO/IEC 27018 Training and Courses

Various training courses are available to help organizations comply with ISO/IEC 27018, including:

• Lead Auditor Training – Equips professionals to conduct external third-party audits.
• Lead Implementer Training – For those responsible for planning and executing ISO/IEC 27018 implementation.
• Internal Auditor Training – Preparing internal auditors for certification audits

Pacific Certifications provides accredited training programs. If your organization is looking for ISO/IEC training, our team is equipped to help you, contact us today at support@pacificcert.com