ISO 27018 | Protecting personally identifiable information in public clouds

To learn more about our services, leave your contact information here, and we will get back to you, or call 03-9450630.

What is ISO 27018?

ISO 27018 establishes guidelines for protecting Personally Identifiable Information (PII) in public clouds.

Based on ISO 27001 and ISO 27002, this standard focuses on practices that protect PII from security risks to which public cloud service providers are exposed.

Our CISO-certified information security experts will adapt the certification process to your organization’s needs while ensuring full compliance with the standard.

With our CISO-as-a-service offering, you can get a unique solution tailored to your needs, resources, and field of business.

Who has to comply with the standard?

Any organization that processes PII using cloud computing must comply with ISO 27018. This includes private, public, and government organizations. The standard also refers to organizations that act as PII controllers.

PII controllers must meet additional requirements that do not apply to PII processors.

The difference between a PII controller and a PII processor is that a processor receives the data from a cloud service client (a PII controller).

The PII controller determines how the PII is collected and processed.

What are the benefits of getting certified?

1. ISO 27018 compliance means entering the international market and working with governments and major players.
2. ISO 27018 certification proves that your organization keeps your clients’ PII safe and secure.
3. Complying with laws and regulations (including GDPR) pertaining to cloud services ensures your information security is as tight as possible. It also means your organization can back up, recover and encrypt PII.
4. Establishing appropriate privacy protection controls will prevent your organization’s data from leaking, being lost, and being used for unsolicited marketing, thus saving you unwanted expenses.

Why get both ISO 27018 and ISO 27001 certifications?

Cloud service providers are often asked how they protect their clients’ PII from security breaches.

Getting certified for compliance with ISO 27001 is essential for your organization’s information security.

However, these days, ISO 27001 is no longer enough, and many cloud service providers who use PII must obtain ISO 27018 to ensure that the personal data they store is as safe as possible.

New controls:

ISO 27018 establishes a new set of controls that organizations must implement to enhance their cloud security. These controls are not included.

In ISO 27001. They include the following:

• Appointing a data processor who will serve as the point of contact for the client.
• I am managing documentation by the cloud policy.
• They are defining regulation compatibility and contractual requirements between the data processor and their clients.
• I am encrypting all PII in the cloud and establishing strict access controls.
• Only processing data for the purposes agreed on with the client. The collection and use of data for marketing and advertising purposes are prohibited.
• I am logging all use of physical storage media containing PII.
• Ensuring employees with access to PII are bound by strict confidentiality agreements.
• I am maintaining several logical and physical backups.
• They are establishing procedures for deleting and recovering PII from backups and allowing clients to access and delete their data.
• We are managing data transfers between geographical locations.
• We are establishing procedures for destroying physical media with PII by privacy protection laws.
• I am giving the client advance notice if a disclosure request is received.

Support from the best experts in the field:

We offer you an easy, efficient way to get certified. With our best-in-class experts at your service, you will have all the support you need every step of the way. Our legal, regulatory, and security specialists will assess your organization’s unique needs and adapt the solutions accordingly.

At the end of the process, you will receive an information security risk survey, privacy protection procedures, and emergency procedures for handling information security incidents.