ISO 27018 is the first international standard created specifically for data privacy in cloud computing. Its main objective, according to the International Organization for Standardization (ISO), is to establish “commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII).”
ISO 27018 is part of the ISO 27000 family of standards, which define best practices for information security management. ISO 27018 adds new guidelines, enhancements, and security controls to the ISO/IEC 27001 and ISO/IEC 27002 standards, which help cloud service providers better manage the data security risks unique to PII in cloud computing.
Although ISO 27018 is not a law, there are a number of benefits to following its guidelines and earning certification (more on this below). And since the standard isn’t free to the public, we’ve combed through it to help you make intelligent decisions on compliance and certification.
Below are the most important things you need to know about ISO 27018 and why it’s a good idea to follow.
Version “2019” vs. “2014” - What’s New?
ISO 27018 was first created in 2014 (ISO/IEC 27018:2014) and was last revised in 2019 (ISO/IEC 27018:2019). The differences between the two versions are minor and do not change the best practices for protecting PII in cloud computing and public cloud applications in any major way.
As ISO states in Section 2 of the 2019 version, “This second edition cancels and replaces the first edition (ISO/IEC 27018:2014).” It goes on to explain that the revisions are primarily to correct an editorial mistake in Annex A.
However, one noteworthy revision to point out, from a certification standpoint, is that ISO 27018 is no longer referred to as a “standard” within the document itself. Instead, the latest revision replaces all mentions of “standard” with the word “document.”
In plain English, that means ISO 27018 is now considered a set of guidelines and controls that enhance ISO 27001 (the standard for building an information security management system or ISMS), rather than a standard for organizations to certify against.
Cloud service providers should instead certify against ISO 27001 using 27018 guidelines in the event that they process PII.
Why ISO 27018 Compliance Is Beneficial
A study by PWC found that “85% of consumers will not do business with a company if they have concerns about its security practices.” Simply put, ISO 27018 compliance is a competitive advantage for both cloud service providers and their customers:
- For cloud service customers: If you can show consumers that their data is protected by comprehensive PII protection standards (by working with cloud service providers that follow ISO 27018), they’ll be more likely to do business with you.
- For cloud service providers: If you’re ISO 27018-compliant, it makes it easier to close deals with prospective customers because you can say, “We follow the most comprehensive data controls.”
Here are four additional ways ISO 27018 compliance benefits businesses.
1. Improved Global Operations
Since ISO 27018 is an extension of ISO 27001, it’s part of an internationally recognized standard. That means it’s easier for cloud service providers to provide assurances on their security practices if they’re doing business globally, as the standard is recognized in most countries.
Note: Following ISO 27018 will streamline cloud privacy in many instances, given its global acceptance. However, it’s always important to consult a data privacy attorney skilled in the laws of the specific country you’re trying to do business in to ensure that you’re compliant.
2. Improved Security And Legal Protection
Earning the ISO 27001/27018 certification is an important part of establishing a baseline of security for any business that processes data in the cloud. Simply put, following these standards helps you reduce security risk since they are recognized as some of the comprehensive in cloud computing applications.
Implementing ISO 27018 controls and earning a certification also helps protect your business against charges of negligence or recklessness in the event that a breach was to occur.
Negligence charges can often incur more severe penalties (as Equifax found out in 2019). But if a business is using a well-defined, risk-based approach to protect users’ personal data, it not only decreases the likelihood of a breach, but that also evidences a company’s focus on security.
The same goes for customers of cloud service providers. Working with ISO 27001/27018-certified cloud providers shows regulators you’re taking important steps to protect your users’ personal data.
3. Streamlined Sales Processes
Corporate security is a major friction point for a lot of IT sales deals. ISO 27018 helps reduce that friction because it simplifies the amount of information required for corporate security to sign off.
Instead of a long drawn out inquisition or questionnaire from prospective customers, an ISO 27001/27018 certified cloud service provider can simply have their customers review their Statement of Applicability (a list of in-scope security controls and implementation) to provide them the assurances they need to close the deal.
4. Better Security For A Postpandemic World
Cloud computing usage is rising at a significant rate (spending is up 37% in 2020, according to PwC) due to an increase in remote work as a result of COVID-19. This increase has also led to an increase in cyberattacks across the globe, according to Interpol and the U.S. Chamber of Commerce.
However, while many workers have already returned to the office, as of the end of 2020, a survey by PwC shows that remote work will likely stay commonplace even after the pandemic is over. As a result, cloud usage will likely remain high to accommodate remote workers, and ISO 27018 compliance will continue to remain beneficial after COVID-19 is long gone.
ISO 27018 Controls and Compliance
If you’re serious about following the controls laid out in ISO 27018 or earning an ISO 27001 certification, we highly recommend you read both standards to familiarize yourself with all that is required of you.
To get a better feel for what you need to prepare for, here is an overview of the controls laid out in ISO 27018 and the process for certification through ISO 27001.
ISO 27018 Controls Overview
The requirements below are a guideline for cloud service providers on how to update their procedures, technology, infrastructure, etc., in order to follow the controls laid out in ISO 27018.
Some of these recommendations will likely feel familiar, as they show up in regulations like the GDPR (just one example of how the ISO 27018 guidelines can help you meet regulatory requirements in different countries):
- Always process customer data according to a customer’s wishes. Basically, you’ll need to show that you’re only using PII the way(s) its owners have explicitly said you can. Meaning, if a user says you’re not allowed to use their information for marketing and advertising, you should have processes for ensuring that never happens.
- Help cloud customers provide their users access to their data when they request it. Or, in plain English, if your customers’ customers want to access their data, you need to have the processes and technology set up to help them do that.
- Enable cloud customers to comply with their notification obligations in the event of a data breach. If breached, cloud service providers should help provide their customers’ visibility into their own data.
- Share information with the minimum required parties. Basically, keep data private unless you’re required to turn it over. This helps keep personal information safe.
- Tell your customers about any subprocessors in your contract with them. This includes notifying your customers about any location(s) where that data is being processed.
- Ensure you have a policy for disposing of (or returning) data that is no longer in use. For example, if a customer ends their service agreement with you, you must have a plan for what to do with their data.
- Have your operations regularly reviewed and audited by a third party. Certification is required annually by a third party. But if you make significant changes to your processing procedures, you’ll also need a third party to review them.
- Ensure that every employee with access to your customers’ data is under NDA. This adds accountability and legal protection in the event that one of your employees is responsible for sharing data when they’re not supposed to.
- Ensure that your staff has adequate training. All of your employees who have access to your customers’ data should be trained to handle it in accordance with ISO 27018 guidelines.
ISO 27001 Certification Process Overview
As mentioned above, ISO 27018 certification is part of the certification process for ISO 27001 for cloud service providers. Certification for ISO 27001 is required every three years and is determined by an ISO-accredited third party. It typically happens in two stages:
- Stage 1: An informal review of your information security management system (ISMS). The purpose of Stage 1 is to familiarize auditors with your organization. During this stage, auditors will check up on key documentation and procedures (to ensure they exist).
- Stage 2: A formal compliance audit. In Stage 2, auditors will perform detailed tests of your ISMS against the requirements in ISO 27001 and 27018, looking for evidence that it meets the requirements laid out in the standard. If your ISMS passes this stage, you’ll achieve certification for the year.
After certification, you’ll be required to participate in annual surveillance audits to ensure ongoing compliance. If your ISMS is on the newer side, they could occur several times a year to ensure that everything is in order.
Are ISO 27018 Controls Worth Implementing?
While the controls laid out in ISO 27018 are not legally required, it’s a really good idea to follow them if you’re a cloud service provider who processes PII— especially if you’re doing business internationally.
It’s true that the costs of certification through ISO 27001 can be prohibitive for some (certification costs vary from business, depending on the size of your business, the scope of your cloud utilization, etc.). But a data breach isn’t cheap either ($3.86M, on average).
And although certification won’t prevent a breach altogether, the controls ISO 27018 recommends certainly can improve your chances of avoiding one (you’ll also have better coverage in the event a breach does occur), even if you don’t pursue a certification.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and application teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding billions of login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.