ISO 27018 - Information technology - Security techniques - Code of practice

 

What is ISO 27018?

ISO 27018 provides objectives, controls and guidelines for implementing measures that protect Personally Identifiable Information (PII) in a public cloud computing environment. In addition to this, the standard also specifies guidelines based on ISO/IEC 27002.

Once certified, organisations can proudly promote themselves as certificate holders in any of their promotional materials and can include the URS certification logo free of charge.

 

Who requires an ISO 27018 certification?

Certification in ISO 27018 is required by an organisation that acts as a Cloud Service Provider, and handles sensitive customer data in a cloud environment. Examples of relevant sectors include:

 

• Healthcare providers


• Financial organisations


• E-commerce platforms

How can ISO 27018 benefit your business?

Becoming certified for ISO 27018 can bring a wide range of benefits to your organisation, including:

 

• Reducing risks of data breaches


• Simplifying compliance


• Increasing your customers confidence in your organisation


• Improve your security processes

How can you prepare for an ISO 27018 Certification?

Although the thought of starting the certification process may seem daunting, there are a variety of steps you can take to make the process to becoming certified far more streamlined:

 

• Familiarise yourself with the ISO 27018 standard


• Develop a compliance plan to ensure security controls are efficiently implemented


• Create documentation for all of your processes, policies and procedures


• Monitor your cloud environment for security risks and data breaches and carry out actions to correct these issues


• Conduct regular internal audits to highlight areas for improvement

What are the key requirements ISO 27018?

When working towards becoming certified for ISO 27018, there are various areas that will be a focus during the audit. These areas include:

 

• PII protection


• Data encryption


• Cloud service agreements


• Transparency and accountability

What clauses make up the structure of ISO 27018?

 

Clauses 1-3 - Introductive clauses:

The first three clauses of ISO 27018 introduce the scope and application of the standard and identify the type of organisation that would benefit from this certification. These sections also include the names of other applicable standards that are referenced throughout, as well as a list of terms and definitions that are mentioned in various parts of this standard.

 

Clause 4 – Overview:

Clause 4 outlines the structure of the standard and provides a table that highlights which clauses feature sector specific guidance. Additionally, this section also covers control categories and description structures.

 

Clause 5 – Information security policies:

Clause 5 expands on the policies surrounding information security and provides sector specific implementation guidance for PPI protection.

 

Clause 6 – Organisation of information security:

Although most subclauses in clause 6 directly reference ISO 27002, the Information security roles and responsibilities have been expanded to include sector specific guidance.

 

Clause 7 – Human resources security:

Clause 7 introduces sector specific guidance relating to information security awareness, education and training which covers Public cloud PII protection and guidance for other jurisdictions.

 

Clause 8 – Asset management:

Clause 8 provides no additional sector guidance and simply references the requirements outlined in ISO 27002.

 

Clause 9 – Access control:

In clause 9, the additional sector specific guidance focuses on user access management and secure log-on procedures. Whilst the remainder of this section directly references ISO 27002.

 

Clause 10 – Cryptography:

In this short section, clause 10 applies sector specific guidance to policies on the use of cryptographic controls for Public Cloud PII protection alone.

 

Clause 11 – Physical and environmental security:

Clause 11 expands on the guidance for physical and environmental security by including sector specifics for the secure disposal or re-use of equipment.

 

Clause 12 - Operations security:

Clause 12 provides an expansive amount of sector specific guidance on the separation of development and testing environments, information backups and event logging. All of which focus on Public Cloud PII Protection alone.

 

Clause 13 – Communications security:

Clause 13 provides a sector specific focus on information transfer policies and procedures, whilst the remainder of the subclauses reference the original ISO 27002 standard.

 

Clause 14 – System acquisition, development and maintenance:

Clause 14 provides no additional sector guidance and simply references the requirements outlined in ISO 27002.

 

Clause 15 – Supplier relationships:

Clause 15 provides no additional sector guidance and simply references the requirements outlined in ISO 27002.

 

Clause 16 – Information security incident management:

Clause 16 includes the addition of sector specific guidance to the subclauses on responsibilities and procedures, and the management of information security incidents and improvements.

 

Clause 17 – Information security aspects of business continuity management:

Clause 17 provides no additional sector guidance and simply references the requirements outlined in ISO 27002.

 

Clause 18 – Compliance:

In the final clause of this standard, sector specific guidance is provided on the independent review of information security for Public cloud PII protection.

 

How long will your ISO 27018 certificate be valid for?

Your ISO 27018 certificate will be valid for at least three years; dependent on the type of site that is being certified.

 

Ready to get started? Apply using the quotation link below.