ISO/IEC 27018:2019 – Information technology — Security techniques — Guidelines for protecting Personally Identifiable Information (PII) in public cloud servers acting as PII processors
The purpose of this standard is to ensure that the cloud service providers (such as Google and Amazon) implement suitable information security controls as a means of protecting their customers’ information, primarily securing Personally Identifiable Information.
In addition to privacy, the standard will be followed by ISO/IEC 27017, which covers multiple aspects of information security of cloud computing.
In addition to national standards organizations, the Cloud Security Alliance endorsed the project.
Scope and objectives
The standard aims to serve as a guide for selecting PII protection controls in the context of implementing an ISO/IEC 27001-based cloud computing information security management system, or as a guide for organizations for implementing generally accepted PII protection controls.
Cloud computing services act as public-cloud computing processors under this standard. “A public cloud service provider processes personal information for and according to instructions from a cloud service customer”. It does not address PII principals (e.g. individuals who process personal information in the cloud, for instance, Google Drive) or PII controllers (i.e. enterprises which use cloud services for processing PII of clients, customers, employees, etc. ), even though they share many concerns and are interested in the cloud service provider’s privacy policies.
ISO/IEC 27002 is interpreted in the standard rather than duplicated to secure personal data held in the cloud. 27002 includes an annexe that, for example, advises cloud service providers to inform their customers if they use subcontractors.
ISO/IEC 27000, 27001, and 27002 are considered to be “normative” (i.e. necessary) standards, including ISO/IEC 17788 “Cloud computing – overview and terminology” and ISO/IEC 29100 “Privacy framework”.
The standard’s status
In 2014, the first edition was published.
The second edition was published in 2019 (a minor revision).
A few sections of ISO/IEC 27002 are expanded, as is the general advice offered by 27002, and several OECD privacy principles are referenced.
Most of the sections simply state: “The objectives and content of Clause of ISO/IEC 27002 apply.”
Expansions and additions are fairly straightforward.