International Organization for Standardization What is ISO 27018:2019? Everything an executive needs to knowLearn how ISO 27018 controls can help cloud service providers reduce security risks to personal data.ISO 27018 is the first international standard developed specifically for data privacy in cl

International Organization for Standardization What is ISO 27018:2019? Everything an executive needs to know

Learn how ISO 27018 controls can help cloud service providers reduce security risks to personal data.

ISO 27018 is the first international standard developed specifically for data privacy in cloud computing . According to the International Organization for Standardization (ISO) , its main goal is to establish "generally accepted control objectives, controls and guidelines for implementing measures to protect personally identifiable information (PII)."

ISO 27018 is part of the ISO 27000 series of standards that define best practices for information security management. ISO 27018 adds new guidance, enhancements and security controls to the ISO/IEC 27001 and ISO/IEC 27002 standards to help cloud service providers better manage the data security risks specific to PII in cloud computing.

Although ISO 27018 is not a law, there are many benefits to following its guidelines and getting certified (more on that below). Because the standard is not freely available to the public, we've combed it to help you make informed decisions about compliance and certification.

Here are the most important things you need to know about ISO 27018, and why it's a good idea to follow it.

"2019" version vs "2014" version - what's new?

ISO 27018 was first created in 2014 (ISO/IEC 27018:2014) and last revised in 2019 (ISO/IEC 27018:2019). The differences between the two versions are minor and do not change in any major way the best practices for protecting PII in cloud computing and public cloud applications.

As ISO stated in Section 2 of the 2019 edition, "This second edition cancels and supersedes the first edition (ISO/IEC 27018:2014)."  It goes on to explain that the revisions were mainly to correct editorial errors in Annex A .

However, one notable revision to point out from a certification standpoint is that ISO 27018 is no longer referred to as a "standard" in the document itself. Instead, the latest version replaces all references to "standard" with the word "documentation".

In simple terms, this means that ISO 27018 is now considered a set of guidelines and controls that enhance ISO 27001 (the standard for building information security management systems or ISMS), rather than a standard for organizations to certify against.

If the cloud service provider handles PII, it should be certified against ISO 27001 using the 27018 guideline.

Why ISO 27018 compliance is beneficial

A PricewaterhouseCoopers study found that “85% of consumers would not do business with a company if they were concerned about their security practices.”  In short, ISO 27018 compliance is critical for cloud service providers and their customers. It's all a competitive advantage:

• For cloud service customers : If you can show consumers that their data is protected by comprehensive PII protection standards (by partnering with an ISO 27018 compliant cloud service provider), they will be more likely to do business with you.

• For cloud service providers : If you're ISO 27018 compliant, it's easier to close deals with potential clients because you can say "we follow the most comprehensive data controls".

Here are four more ways that ISO 27018 compliance can benefit your business.

1. Improve global operations

Since ISO 27018 is an extension of ISO 27001, it is part of an internationally recognized standard. This means that if a cloud service provider operates globally, it is easier to provide assurances about its security practices, as the standard is recognized in most countries.

Note : Given that ISO 27018 is globally accepted, following ISO 27018 will simplify cloud privacy in many cases. However, it is always important to consult with a data privacy attorney who is proficient in the laws of the specific country you are trying to do business in to ensure you are compliant.

2. Enhanced security and legal protection

Obtaining ISO 27001/27018 certification is an important part of establishing a security baseline for any business dealing with data in the cloud. In short, following these standards can help you reduce your security risks, as they are considered some comprehensive standards in cloud computing applications.

Implementing ISO 27018 controls and gaining certification can also help protect your business from accusations of negligence or recklessness in the event of a breach.

Negligence charges often lead to harsher penalties ( as Equifax found in 2019 ). But if a business uses a well-defined, risk-based approach to protecting users' personal data, it not only reduces the likelihood of a breach, but it also demonstrates the company's focus on security.

The same goes for customers of cloud service providers. Partnering with an ISO 27001/27018 certified cloud provider shows regulators that you are taking important steps to protect your users' personal data.

3. Simplified sales process

Enterprise security is a major point of friction for many IT sales transactions. ISO 27018 helps reduce this friction because it simplifies the amount of information an enterprise needs to sign securely.

Instead of lengthy surveys or questionnaires from potential customers, cloud service providers certified to ISO 27001/27018 can simply have their customers review their suitability statement (a list of in-scope security controls and implementations) to Providing them with their assurance requires a deal to be done.

4. Better security for a post-pandemic world

Cloud computing usage is growing at a significant rate due to the rise in remote work due to COVID-19 ( spending increased by 37% in 2020, according to PwC ). The growth has also led to an increase in cyber attacks globally , according to Interpol and the U.S. Chamber of Commerce .

However, while many employees have returned to the office, as of the end of 2020, a PwC survey suggested that remote work is likely to be common even after the pandemic is over. As such, cloud usage will likely remain high to accommodate remote workers, and ISO 27018 compliance will continue to be beneficial after COVID-19 is long gone.

ISO 27018 Controls and Compliance

If you are serious about the controls set out in ISO 27018 or are certified to ISO 27001, we strongly recommend that you read both standards to familiarize yourself with all the requirements placed on you.

To better understand what you need to prepare, here is an overview of the controls specified in ISO 27018 and the process for certification to ISO 27001.

ISO 27018 Control Overview

The following requirements are guidance for cloud service providers on how to update their procedures, technology, infrastructure, etc. to comply with the controls specified in ISO 27018.

Some of these recommendations may feel familiar as they appear in regulations such as GDPR (this is just one example of how the ISO 27018 guidelines can help you meet regulatory requirements in different countries):

1. Always process customer data according to the wishes of the customer . Basically, you need to prove that you're only using PII in a way that its owner has expressly said it's okay. This means that if a user says you don't allow their information to be used for marketing and advertising, you should have a process in place to ensure that never happens.

2. Help cloud customers provide access to their data when users request it . Or, in plain English, if your client's customers want to access their data, you need to set up processes and technology to help them do that.

3. Enable cloud customers to comply with their notification obligations in the event of a data breach . If compromised, cloud service providers should help their customers understand their data.

4. Share information with minimum required parties . Basically, keep your data private unless you need to hand it over. This helps protect the security of personal information.

5. Tell your customers about any sub-processors in your contracts with them . This includes notifying your customers about wherever that data is being processed.

6. Make sure you have a policy for handling (or returning) data that you no longer use . For example, if a customer ends their service agreement with you, you must have a plan for what to do with their data.

7. Have your operations regularly reviewed and audited by third parties . Third parties are required to be certified annually. However, if you make significant changes to your handler, you will also need a third party to review it.

8. Make sure every employee who has access to your customer data is under an NDA . This increases accountability and legal protection if one of your employees is responsible for sharing data when it shouldn't be.

9. Make sure your employees are adequately trained . All employees with access to customer data should be trained to handle data in accordance with ISO 27018 guidelines.

Overview of the ISO 27001 Certification Process

As mentioned above, ISO 27018 certification is part of the ISO 27001 certification process for cloud service providers. ISO 27001 certification is required every three years and is determined by an ISO accredited third party. It usually happens in two stages:

1. Phase 1: Informal review of your Information Security Management System (ISMS) . The purpose of Phase 1 is to familiarize the auditor with your organization. During this phase, the auditor will check key documents and procedures (to ensure they exist).

2. Stage 2: Formal compliance audit . In stage 2, the auditor will conduct a detailed test of your ISMS against the requirements in ISO 27001 and 27018, looking for evidence that it complies with the requirements set out in the standard. If your ISMS passes this stage, you will be certified for the current year.

Once certified, you will be required to participate in an annual surveillance audit to ensure continued compliance. If your ISMS is on the newer side, they may happen a few times a year to make sure everything is in order.

Are ISO 27018 controls worth implementing?

While the controls set out in ISO 27018 are not legally required, if you're a cloud service provider that handles PII, it's a very good idea to follow them -- especially if you do business internationally.

Indeed, the cost of getting certified to ISO 27001 can be prohibitive for some people (the cost of certification varies by business, depending on the size of your business, scope of cloud usage, etc.). But data breaches aren't cheap ( $3.86 million on average ).

While certification does not completely prevent breaches, the controls recommended by ISO 27018 can definitely improve your chances of avoiding breaches (and you'll get better coverage in the event of a breach), even if you don't seek certification.

Especially when you consider the impact a breach could have on your brand ( 65% to 80% of consumers lose trust in a company that is breached)!