- Are you a cloud service provider?
- Do your customers process personal information?
- Do your customers use your platform to deliver their services?
- Do you offer data processing options that your customers can tailor to their needs?
If these 4 conditions apply to your organization, then this standard is for you!
Alternatively, you could use the standard to evaluate your cloud service provider!
ISO 27018 is an international standard that defines best practices for the protection of personal data and privacy in cloud solutions.
It was developed by the International Organization for Standardization (ISO) and published in July 2015 for its first version. A revision was published in January 2019.
The standard provides guidance on how to implement measures to protect personal data stored or processed in cloud computing.
The standard is voluntary, but organizations that are already ISO 27001 certified can use it to demonstrate their specific and particular commitment to protecting personal information.
It ***enhances ***the ISO 27001 information security standard and the ISO 27002 code of practice for information security management.
The standard applies to all organizations that process personal data in the cloud, including cloud service providers.
It is designed to help cloud service providers ensure that they have appropriate security controls in place to protect their customers’ personal data.
Organizations that process personal data in the cloud can use ISO 27018 to :
– Select and implement security controls to protect personal data in the cloud;
– Establish policies and procedures to guarantee the security of personal data in the cloud;
– Comply with applicable privacy laws and regulations;
List of safety measures or topics covered
In addition to the improvements to ISO27001 and its Annex A. ISO27018 also includes specific additions for the protection of personal information. (RP)
A.2.1 – Obtaining consent and managing PR data
A.3.1 – Define objectives and specifications for RP use
A.3.2 – Defining the commercial use of PR data
A.4 – Limit data collection.
A.5.1 – Confirm deletion of temporary files
A.6.1 – Define the management of requests for access to information.
A.6.2 – Create a disclosure record.
A.7 – Confirming the quality and accuracy of PRs
A.8.1 – Disclose the use of third-party systems for PR processing
A.9 – Manage individual access and participation.
A.10.1 – Supervise the disclosure of security breaches.
A.10.2 – Define information retention periods.
A.10.3 – Define information transfer procedures.
A.11.1 – Signature of confidentiality agreement
A.11.2 -Restrict the printing of materials with PRs
A.11.3 – Create an information systems restoration register
A.11.4 – Supervise the use and protection of external copies.
A.11.5 – Restrict the use of unencrypted mobile systems.
A.11.6 – Encrypt data transmissions.
A.11.7 – Document a procedure for destroying printed material.
A.11.8 – Force the use of unique identifiers.
A.11.9 – Create a register of authorized users.
A.11.10 – Restrict reuse of old accounts.
A.11.11 – Document customer contracts.
A.11.12 – Document subcontractor contracts
A.11.13 – Confirm that access to shared disks is RP-purged
A.12.1 – Document the location of PR information
A.12.2 – Document the objectives of planned PR processing
I invite you to click on “Follow” to continue learning more about the field of information security.