ISO 27018: understanding cloud privacy

Key takeaways

• ISO 27018 is an international standard that protects personally identifiable information (PII) in cloud environments. It supplements ISO 27017 and connects with ISO 27001, providing data integrity, confidentiality, and availability guidelines.
• ISO 27018 emphasizes collecting minimal PII for limited purposes, implementing robust security controls, and assessing risks before gathering data. It encourages cloud users to define the responsibilities of service providers and clients. It also recommends transparent consent processes.
• Benefits of using the 27018 standard include enhanced customer trust, reduced data breach risks, greater competitiveness for Cloud Service Providers (CSPs), and simplified global compliance.
• ISO 27018 controls cover access control, asset management, business continuity, and communications security. There are sections for compliance, cryptography, human resource security, information security policies, and incident management. Core components include operations security, physical and environmental security, supplier relationships, and system acquisition.

The main purpose of ISO 27018

The ISO 27018 standard, introduced in 2014, meets the needs of organizations that store or process data in the cloud and covers critical information security concerns for cloud service users.

ISO 27018 expands on ISO 27001. It deals with cloud privacy and securing personal data in the public cloud. Cloud service providers and clients can use the 27018 standard to align cloud data processing with global best practices.

The ISO 27018 framework covers areas such as ensuring transparent data processing and obtaining consent to process customer data in the cloud. The standard also sets out guidelines for dividing responsibilities between a cloud service and the customer and includes security guidance relating to data transfers and deletions.

The framework aims to enable companies to process data on any cloud service safely and efficiently. Users of ISO IEC 27018 can balance significant information security risks against operational needs and construct cloud computing systems that meet ISO data protection standards.

Key objectives of ISO 27018

ISO IEC 27018 aims to ensure data security in the cloud. This overall objective includes a range of themes and recommendations relating to:

• Protecting PII. ISO IEC 27018 recommends collecting minimal amounts of PII for limited purposes. The standard requires robust security controls for PII, including encryption, access control systems, and firewalls. There are strict rules governing transferring confidential data to third parties. Compliant organizations must also assess risks to personally identifiable information before gathering data.
• Roles and responsibilities. ISO IEC 27018 defines the responsibilities of cloud service providers and clients. Organizations must clearly define who is responsible for protecting PII in the cloud. Companies should use enforceable agreements to secure data sharing and processing. Service providers and clients should also work together to manage security incidents.
• Privacy and individual rights. ISO IEC 27018 requires companies to seek consent to collect and process data. Organizations must create and maintain transparent policies and procedures for cloud operations. They must name data controllers and enable data subject requests such as amendments or deletions.
• Notification and communication. Companies must implement systems to notify users and regulators about data breaches or other information security alerts. Organizations must also communicate security policies to all stakeholders and cloud service users.

Benefits of ISO 27018 compliance

ISO standards are recognized globally as guides to information security best practices. ISO 27018 is no exception and provides a robust grounding in cloud information security.

Aside from that overall benefit, there are many other reasons to achieve ISO 27018 compliance:

• Enhanced customer trust. Compliant organizations handle customer data transparently and securely. They tend to experience fewer data breaches and have mechanisms to request informed consent. Organizations also respond to user requests quickly. The result is greater trust and a better reputation for respecting user privacy.
• Reduced risk of data breaches. ISO IEC 27018 recommends cloud security controls that prevent access for malicious attackers. Compliant organizations safeguard user data against theft, destruction, or alteration. Continuous compliance also updates cloud controls to reflect changing conditions and threats. Companies can anticipate threats and take appropriate action.
• Greater competitiveness for CSPs. ISO IEC 27018 compliance encourages clients to partner with trustworthy cloud service providers. CSPs can separate themselves from other market actors by showing their commitment to information security and privacy. Using a global standard makes it easier for CSPs to compete internationally. Smooth third-party security also simplifies life for clients, with no confusion about roles and responsibilities.
• Simplified global compliance. ISO IEC 27018 is an international code of practice that assists compliance with regulations anywhere. Compliant companies can process PII in line with regulations like GDPR and HIPAA.

Control list of ISO 27018

ISO 27018 recommends a list of controls for cloud computing environments. This control list is a reference point for companies designing secure cloud systems. Relevant controls include:

• Access control. Organizations should ensure that only legitimate users can access cloud computing assets. Multi-factor authentication should guard cloud-hosted PII, while tools like session management should monitor user access. There are also specific guidelines for managing administrator access to cloud resources.
• Asset management. Deals with identifying public cloud assets and managing the information lifecycle from data creation to deletion.
• Business continuity management. Understanding risks linked to security incidents and ensuring data availability. Protecting PII with measures like data backups and making third parties part of business continuity management plans.
• Communications security. Securing connections between local assets and the public cloud. Communications security includes using secure protocols and APIs, secure messaging systems to communicate PII, and logging PII transfers to prevent unauthorized sharing.
• Compliance. Identifying compliance requirements relating to PII in the public cloud. Managing risk according to compliance requirements and auditing cloud systems to ensure continuing compliance. This section also covers notification processes and protecting data privacy rights.
• Cryptography. Applying secure encryption to PII in the public cloud, both for data in transit and stored data. ISO IEC 27018 recommends secure key management and established encryption standards. It advises organizations to use data masking to anonymize PII where possible. It also recommends using cryptographic authentication systems to manage user access.
• Human resource security. Organizations should provide cloud security training to employees and create cloud security policies. Policies should provide guidelines about secure access to cloud systems and employee responsibilities when handling PII. This section includes guidance about tracking employee activity and recommends that termination processes deny ex-employees access to PII.
• Information security policies. ISO IEC 27018 requires many information security policies. These policies cover controlling access, incident management, encryption, data retention, and auditing processes. Companies must document every aspect of their cloud ISMS to ensure ISO compliance.
• Incident management. Organizations need processes to identify, contain, and neutralize threats to cloud-hosted data. Response plans should define communication and reporting policies. There should be clear guidelines about working with cloud service providers. Organizations must also analyze incidents and take corrective action if needed.
• Operations security. Includes guidance about executing risk assessments for data processing activities, managing change processes, and ensuring secure configuration of public clouds. Operations security includes vulnerability management controls and secure cloud development practices.
• Physical and environmental security. Store cloud assets securely with appropriate access controls. Physical security controls and measures to minimize environmental risks like floods or fires should protect data centers. Organizations should regularly replace and update physical devices. Secure disposal of physical media is essential.
• Supplier relationships. Cloud service agreements should define the security responsibilities of cloud users and service providers. Clients should risk assess potential vendors and choose secure partners. Service agreements should reflect compliance requirements and include regular auditing procedures. There should be an exit strategy for each CSP and security agreements for cloud subcontractors.
• System acquisition, development, and maintenance. ISO IEC 27018-compliant organizations must integrate PII security into all cloud procurement projects. Systems should have patch management and secure configuration policies, while ISO-approved controls should protect all acquisitions. Companies should test systems regularly and document changes to system configurations.

Challenges in implementing ISO IEC 27018

Organizations often encounter challenges when implementing the ISO 27018 security standard. However, these problems are generally manageable, especially with appropriate planning before beginning implementation projects.

For example, adjustment to more rigorous data management policies can cause problems. Employees who are used to open access to databases or assets must pass through authentication portals and prove their identity every time they handle sensitive data. Some users may not have the correct access level. And there may initially be issues with using remote access VPNs to access public cloud resources.

Organizations also struggle to implement continuous compliance demanded by ISO standards. Companies must regularly re-assess their cloud security policies and cloud-related risks and update their cloud security posture when appropriate.

Working with cloud service providers and other third parties is also challenging. Organizations may find that their existing supplier relationships are not ISO IEC 27018-compliant. And not all suppliers are willing to provide details about securing data in public clouds.

Another problem is implementing ISO IEC 27018 in different regions. Data protection regulations vary between jurisdictions. Companies must follow regulatory changes and update their cloud security systems to reflect the latest developments.

Steps to achieve ISO 27018 compliance

ISO IEC 27018 compliance varies between cloud computing deployments. However, the process of achieving compliance is relatively consistent.

Step 1: Scoping and compliance requirements

Start by assessing existing cloud security systems. Document data that your organization stores and processes in the public cloud. Use this inventory to implement ISO-compliant policies and technical controls.

Compliance teams should read and understand ISO IEC 27018 requirements. They must identify gaps where action is required.

Understanding the regulatory environment is also critical. What regulations influence how you ensure cloud privacy and protect PII?

Step 2: Risk assessment

Identify information security risks faced by data assets in the cloud. Classify risks as high, medium, or low probability. Apply the same scale to risk impacts. Score each risk based on likelihood and impact. Compile these scores in a central risk management plan.

Step 3: Risk ownership

Establish who owns individual risks. Are clients responsible for addressing risks (for example, managing access to personal data), or are CSPs responsible (an example could be fixing exploits on cloud applications)?

Step 4: Risk treatment

Create a risk treatment plan that links information security risks with appropriate technical, administrative, human, or physical controls. The treatment plan provides a road map, plotting a route from existing cloud security systems to ISO 27018 compliance.

Step 5: Implement controls

Set a project timescale and implement the risk treatment plan. Cover technical security controls such as authentication, cryptography, secure coding, and access control systems. Include physical and environmental security measures and lifecycle asset management policies. Implement human resource security measures like training and secure offboarding.

Step 6: Execute an internal ISO 27018 audit

Create a separate audit team to assess the implementation project. Compare cloud security measures and policies to ISO IEC 27018 recommendations. Document any problem areas and take corrective action before organizing a formal ISO 27001 certification process.

Conclusion: protect cloud data with an international security standard

ISO 27018 is an extension of the ISO 27001 framework that assists organizations in securing public cloud assets and protecting PII. ISO 27018 guidelines cover every aspect of cloud data security, with sections on managing incidents, system acquisition, access control, and many other critical compliance areas.

Achieving compliance in every area is demanding. However, benefits include greater trust, fewer data breaches, and smoother relationships between clients and cloud service providers.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.