ISO 27018 Certification for Cloud Service Providers

Numerous standards have been added to the ISO 27000 series since its introduction in 2005, including revised versions of the base standards, ISO 27001, Information Security Management Systems, and 27002, Code of Practice for Information Security Controls. One of the newest standards, ISO 27018, Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors, was adopted in July 2014 and focuses on protecting PII stored in public cloud environments. Although strides have been taken to safeguard sensitive information in traditional and cloud-hosted infrastructures, PII theft has increased at an alarming rate across multiple platforms and industries. With more companies moving to the cloud, ensuring the security and privacy of PII, as well as the strength of cloud service providers’ controls, is critical.

Here’s what ISO 27018 adds to the ISO 27000 series.

  • ISO 27001 – Provides a framework for the development of an information security management system. ISO 27001 is the management standard against which cloud service providers (and other organizations) can certify.
  • ISO 27002 – Provides detailed security controls that organizations can use to implement the principals and standards contained in ISO 27001.
  • ISO 27018 – Augments ISO 27002 controls with items that are specific to cloud privacy and the protection of PII.

Alignment with ISO 27018 holds a number of benefits for cloud service providers. Because ISO 27001 is the management standard, providers must certify against ISO 27001. At the time they are granted ISO 27001 certification, they may also be able to obtain a certificate indicating compliance with ISO 27018. This can be a big selling point: certification demonstrates the maturity of the provider as well as their respect for the customer’s security needs. In addition, obtaining certification can streamline the client contract process by eliminating the need for time-consuming questionnaires whose questions are answered by the certification.

ISO 27018 covers a variety of controls related to the proper handling of PII. Its standards address customer inquiries, as well as provider audits and government reviews. For providers, evidence of certification is essentially proof of sound practices and policies conforming to industry standards. This can do wonders for increasing current and future clients’ peace of mind.