ISO/IEC 27000-series

ISO/IEC 27018: Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

crceriskby
Leave a Comment on ISO/IEC 27018: Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

ISO/IEC 27018 is a standard that provides guidelines for protecting personally identifiable information (PII) in public clouds acting as PII processors. It is an extension of ISO/IEC 27002 and aligns with the principles of ISO/IEC 29100 (Privacy Framework). This standard focuses on ensuring that cloud service providers implement adequate controls to protect PII and comply with applicable privacy regulations.

Key Components of ISO/IEC 27018

  1. Introduction:
    • Purpose: Explains the objective of ISO/IEC 27018, which is to provide guidelines for protecting PII in public cloud environments.
    • Audience: Intended for cloud service providers (CSPs) and organizations that use cloud services to process PII.
  2. Scope:
    • Applicability: Applicable to all types of cloud service providers that process PII on behalf of their customers, regardless of size, industry, or sector.
  3. Normative References:

Structure and Content

ISO/IEC 27018 provides implementation guidance for the controls specified in ISO/IEC 27002, with additional controls specifically for protecting PII in cloud environments. It is structured around the same 14 control domains as ISO/IEC 27002, with specific guidelines for cloud services.

  1. Clause 5: Information Security Policies:
    • PII Protection Policies: Establish and implement policies specifically for the protection of PII in cloud services.
  2. Clause 6: Organization of Information Security:
    • Roles and Responsibilities: Define and document roles and responsibilities for PII protection.
    • Cloud Service Agreements: Ensure that contracts with cloud customers include clauses for PII protection.
  3. Clause 7: Human Resource Security:
    • Training and Awareness: Provide training on PII protection for employees involved in processing PII.
    • Screening: Implement screening procedures for personnel with access to PII.
  4. Clause 8: Asset Management:
    • PII Inventory: Maintain an inventory of PII processed in the cloud environment.
    • Asset Management: Manage assets that store or process PII.
  5. Clause 9: Access Control:
    • Access Controls for PII: Implement access controls to ensure only authorized personnel can access PII.
    • User Access Management: Manage user access rights to PII.
  6. Clause 10: Cryptography:
    • Encryption of PII: Use encryption to protect PII both in transit and at rest.
    • Key Management: Implement robust key management practices for PII encryption.
  7. Clause 11: Physical and Environmental Security:
    • Data Center Security: Ensure physical security controls are in place at data centers processing PII.
  8. Clause 12: Operations Security:
    • Operational Procedures: Develop and implement procedures to securely process PII.
    • Monitoring and Logging: Monitor and log activities related to PII processing.
  9. Clause 13: Communications Security:
    • Network Security: Secure network communications that involve PII.
    • Data Transfer: Protect PII during data transfers.
  10. Clause 14: System Acquisition, Development, and Maintenance:
    • Secure Development: Ensure that systems processing PII are developed securely.
    • Change Management: Implement change management processes that consider PII protection.
  11. Clause 15: Supplier Relationships:
    • Third-Party PII Processing: Manage security risks associated with third-party processing of PII.
    • Supplier Agreements: Include PII protection requirements in supplier agreements.
  12. Clause 16: Information Security Incident Management:
    • PII Breach Response: Develop and implement incident response plans specifically for PII breaches.
    • Incident Reporting: Ensure timely reporting of PII breaches to relevant stakeholders.
  13. Clause 17: Information Security Aspects of Business Continuity Management:
    • PII Continuity Planning: Ensure business continuity plans address the protection of PII.
    • Disaster Recovery: Implement disaster recovery plans that include PII protection.
  14. Clause 18: Compliance:
    • Legal and Regulatory Compliance: Ensure compliance with legal and regulatory requirements for PII protection.
    • Privacy Impact Assessments: Conduct privacy impact assessments to identify and mitigate risks to PII.

Detailed Guidance

  1. Data Protection Principles:
    • Transparency: Ensure clear and transparent communication with customers regarding how their PII is processed.
    • Purpose Limitation: Process PII only for the purposes specified in the contract with the customer.
    • Data Minimization: Limit the collection and retention of PII to what is necessary for the specified purposes.
    • Accuracy: Ensure that PII is accurate and up to date.
    • Storage Limitation: Retain PII only for as long as necessary to fulfill the specified purposes.
    • Integrity and Confidentiality: Protect PII against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
  2. Customer Control:
    • Access to PII: Enable customers to access, correct, and delete their PII as required by applicable privacy laws.
    • Consent Management: Ensure that customer consent is obtained and managed in accordance with applicable privacy regulations.
  3. Security Practices:
    • Data Encryption: Use strong encryption methods to protect PII in storage and transmission.
    • Multi-Factor Authentication: Implement multi-factor authentication for accessing systems that process PII.
    • Regular Audits: Conduct regular security audits and assessments to ensure compliance with PII protection requirements.
  4. Incident Response:
    • Breach Notification: Develop procedures for notifying customers and regulators of PII breaches within required timeframes.
    • Remediation: Implement measures to mitigate the impact of PII breaches and prevent future occurrences.

Benefits of ISO/IEC 27018

  • Enhanced Data Protection: Provides specific guidelines for protecting PII in cloud environments, addressing the unique challenges of cloud services.
  • Compliance: Supports compliance with international privacy laws and regulations, such as GDPR.
  • Customer Trust: Builds trust with customers by demonstrating a commitment to protecting their PII.
  • Risk Management: Enhances the organization’s ability to manage information security risks related to PII processing.
  • Shared Responsibility Clarity: Clarifies the shared responsibilities between CSPs and CSCs for PII protection.

ISO/IEC 27018 is a valuable resource for cloud service providers and customers seeking to ensure the protection of PII in cloud environments, supporting compliance with privacy regulations and building trust with stakeholders.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Cyber Risk Countermeasures Education (CRCE)

Subscribe now to keep reading and get access to the full archive.

Continue reading