ISO/IEC 27018:2014
Cloud Security Management Systems
For the public cloud computing environment, ISO/IEC 27018:2014 defines widely recognized control goals, controls, and recommendations for establishing measures to safeguard Personally Identifiable Information (PII) in compliance with the privacy principles in ISO/IEC 29100. ISO/IEC 27018:2014, in particular, offers guidelines based on ISO/IEC 27002, taking into account regulatory requirements for the protection of PII that may be relevant within the context of a provider of public cloud services’ information security risk environment(s).
ISO/IEC 27018:2014 applies to all types and sizes of enterprises that provide information processing services as PII processors via cloud computing under contract to other organizations, including public and private companies, government agencies, and not-for-profit organizations. Organizations operating as PII controllers may benefit from the recommendations in ISO/IEC 27018:2014; nevertheless, PII controllers may be subject to extra PII protection legislation, rules, and duties that do not apply to PII processors. Such additional duties are not covered by ISO/IEC 27018:2014.
Advantages:
- Stakeholder confidence is higher. CSPs can certify that they have established security procedures to protect stakeholder sensitive information in the cloud if they comply with ISO 27018.
- Global activities can be enabled more quickly. CSPs may do business internationally thanks to ISO 27018, which provides uniform criteria across nations.
- The need for a supply network. The ISO 27018 certification provides CSPs with documentation that they have adopted policies to protect PII, shortening the time it takes to negotiate new business and giving them a competitive advantage.
- Legal protection is improved. Certification to ISO 27018 ensures a systematic approach to data security, allowing CSPs to manage data security threats while remaining compliant with the legislation