Provide compliance basis for personally identifiable information control and reduce security risks
The potential risk of personal data breaches has become a top international issue, with a number of major information security incidents drawing attention to how to protect your personal details. Today, more and more personal and consumer-level applications are cloud-based applications. The cloud offers organizations and consumers a number of benefits: cost savings, increased flexibility in mobile access to information. It also raises concerns about data protection and privacy, particularly Personally Identifiable Information (PII), which is defined as any information that can be used to identify the PII subject to which such information relates and which can be directly or indirectly associated with the PII subject.
For users, a cloud service provider (GSP) can provide its users with peace of mind and confidence that its cloud services are reliable, comply with applicable regulatory and contractual requirements, and apply best industry practices , then the cloud service provider will become the best choice for users. Under the background of this actual demand, ISO/IEC 27018 came into being.
ISO/IEC 27018 is a code of conduct for the protection of personally identifiable information in public cloud services to allow GSPs whose infrastructure has been certified to the standard to inform their existing and potential customers that their data is protected and will not be used for unauthorized use for any purpose that they expressly agree to. ISO/IEC 27018 provides generally accepted control objectives, controls and guidance on implementing measures to protect personally identifiable information (PII), aligning with the privacy principles of ISO/IEC 29100 and personal data privacy regulations around the world. ISO/IEC 27018 can ensure that cloud service providers have appropriate procedures for handling PII, and it can also help develop stronger cloud service agreements designed to provide real value and transparency to cloud service customers.
ISO/IEC 27018 provides additional control over PII in two ways:
1. Provide guidance on how to implement specific ISO/IEC 27001 controls in the context of PII protection;
2. Provide control of PII in cloud environment not mentioned in the existing ISO/IEC 27001.
In addition, ISO/IEC 27018 establishes clear and transparent parameters for the return, transfer and secure processing of personal information; and requires GSPs to disclose the identity of any sub-processors with which they engage in data processing before a customer enters into a contract; if a GSP changes the self-processor , the GSP is required to notify customers in a timely manner, giving them the opportunity to object and terminate their agreement.
ISO/IEC 27018 applies to any organization, large or small, and it is critical for an organization to demonstrate compliance and show how it protects data, especially data that is not stored in one location.
○ ISO/IEC 27001-2013 Information Technology - Security Technology - Information Security Management System - Requirements
○ ISO/IEC 29100-2018 Information Technology - Security Technology - Privacy Architecture Framework
○ ISO/IEC 27002-2022 Information Security, Cyber-security and Privacy Protection Information Security Control
○ GB/T 35273-2020 Information Security Technology Personal Information Security Specification
Improve customer confidence and trust
If a cloud service provider complies with this standard, it means it has a solid understanding of how to handle PII securely and is committed to protecting its customer data, which can help increase customer trust in the business.
Reduce customer audits
Many customers assign their stewardship to suppliers through frequent audits. ISO/IEC 27018 is an international standard and provides an independent, third-party evidence that an organization's cloud operations are not only controlled, but controlled in accordance with international best practice benchmarks.
Tel:+86-400 821 5138
Fax:+86-21 3327 5843
Email:noa@noagroup.com