ISO / IEC 27018 :2019 Information Technology
Safety & Risk
Environment & Energy
Good Industry Practices
1.Introduction to ISO/IEC 27018:2019-Information technology —
Security techniques — Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers’ clients by securing Personally Identifiable Information entrusted to them.
The standard will be followed by ISO/IEC 27017 covering the wider information security angles of cloud computing, other than privacy.
What is ISO 27018:2019:
It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which might be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
Why ISO 27018:2019:
- Vast quantities of data are held in the public cloud, necessitating thorough protection requirements.
- Data breaches can include individual loss of rights and freedoms, identity theft, monetary penalties and huge loss of reputation for the responsible data controller.
- Compliance to protect personal data and ensure it is treated in accordance with the law.
What benefits ISO 27018 brings to business:
- Competitive advantage,
- Protects your brand protection,
- Reduces risks – ensures that risks are identified, and controls are in place,
- Protects against fines,
- Help grow your business.
- Any organisation, large or small, in any sector. The standard is especially suitable where the protection of personal data such as payroll, HR or clients payment details are stored in a cloud environment.
- If your organisation is already implementing ISO 27001 ISMS then you are covered for 70% of the regulations within ISO 27001. However, if you are operating using cloud base technologies then ISO 27018 has been seen as an effective bolt-on standard as companies wish to demonstrate GDPR compliance specifically with data that is stored on the cloud
Our Consulting approach:
- Gap Analysis: Assessment of existing management system practices against the selected standard requirements.
- Project Plan: Prepare a implementation project plan based on the time lines looking for;
- Orientation Training: Top/Senior Management orientation on selected standard requirements and implementation action plans preparation;
- Developing different levels of documentation ( Tier 1-3/4): Identification of processes required for the products produced and services provided; External and internal issues affecting the business, interested parties needs and expectations, Framing draft quality policy, organizational objectives, role, responsibility and authority, various risks affecting and opportunities arises, functional and system procedures, different implementation formats and checklists;
- System Implementation: Implementation of the selected management system as per the developed documentation;
- Company-wide Training: Training on detailed clause wise requirements and relating them to their departments and Internal audit.
- Internal Audits: Periodic assessment of system implementation and corrective actions.
- Pre assessment: Initial audit by Certifying agency, and, implementation of corrective actions.
- Final Assessment: Certification audit by the Certifying agency and recommendation for certification.