The Internet has advanced the global economy immensely, and the emergence of various web-connected devices or “things” accelerates the delivery of technology’s many benefits for organizations of all sizes. However, this is a double-edged sword; while enormous potential has been made possible by the Internet, its proliferation has introduced more openings for cybercrime. In fact, it is estimated that worldwide cybercrime costs $600 billion each year.
IT security is an anxiety-inducing issue in the digital age, as its threats can be unseen, disastrous, and ever-looming. The ISO/IEC 27000 family of international standards has been tasked with combating this issue by letting organizations filter through the chaos. A document in this series, ISO/IEC 27018:2019 – Information Technology – Security Techniques – Code Of Practice For Protection Of Personally Identifiable Information (PII) In Public Clouds Acting As PII Processors has been released.
Since the ISO/IEC 27000 series is positioned around providing a harmonized approach towards handling an organization’s IT security risks, ISO/IEC 27018:2019 is intertwined with several other related standards.
When it comes to this series and the management of cybersecurity risks at the organization level, the seminal document is ISO/IEC 27001:2022 – Information Technology – Security Techniques – Information Security Management Systems – Requirements. This standard specifies the framework for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). Under the standard’s guidance, an organization can position itself towards progress and respond to the ever-evolving risk environment of cyberspace.
As for ISO/IEC 27018:2019, it sets “commonly accepted control objectives, controls and guidelines for implementing measures” to protect personally identifiable information (PII)—“any information that can be used to establish a link between the information and the natural person to whom such information relates, or is or can be directly or indirectly linked to a natural person”—in line with the privacy principles found in ISO/IEC 29100:2011.
ISO/IEC 29100:2011 – Information Technology – Security Techniques – Privacy Framework gives a policy framework that specifies common terminology, defines the actors and associated roles in processing PII, describes privacy safeguarding considerations, and provides references to known IT privacy principles.
ISO/IEC 27018:2019 also mentions ISO/IEC 27002 in its scope, in that it specifies guidelines based on the international standard. ISO/IEC 27002:2022 – Information Security, Cybersecurity And Privacy Protection – Information Security Controls helps organizations select security controls while implementing an ISMS in accordance with ISO/IEC 27001:2022.
While compared to some other information technology security standards, ISO/IEC 27018:2019 follows a somewhat different perspective. While many standards are oriented around protecting an organization from cybercrime, ISO/IEC 27018:2019 works to protect the information that an organization’s customers and other stakeholders have entrusted to the organization. It is intended to be used in conjunction with the information security objectives and controls found in ISO/IEC 27002 for creating a common set of security categories and controls for implementation by a public cloud computing service provider. In this instance, the public cloud service provider acts as the PII processor, or the “privacy stakeholder that processes PII on behalf of and in accordance with the instructions of a PII controller.”
In fulfilling this intention, ISO/IEC 27018:2019, which revises the 2014 edition of the same international standard, is meant to help the public cloud service provider comply with applicable obligations when acting as a PII processor, enable the public cloud PII processor to be transparent in relevant matters for the benefit of the customer, assist the cloud service customer and public cloud PII processor in entering into a contractual agreement, and provide cloud service customers with the ability to exercise audit and compliance rights and responsibilities.
With this last part, it is crucial that, while adhering to ISO/IEC 27018:2019, an organization identifies various needs for the protection of PII. Three main resources that need to be identified are risks, corporate policies, and legal, statutory, regulatory, and contractual requirements. These, of course, can vary between organization and location. For example, the notable General Data Protection Regulation (GDPR) puts greater requirements on organizations who process PII from data subjects residing in the European Union.
While ISO/IEC 27018:2019 does implement the controls found in ISO/IEC 27002, it augments them for its purposes. It does this by providing implementation guidance applicable to public cloud PII protection for certain existing ISO/IEC 27002 controls. There is also Annex A in ISO/IEC 27018:2019, which covers “Public cloud PII processor extended control set for PII protection.” This section features additional controls meant to address public cloud PII protection, such as the secure erasure of temporary files and PII disclosure notification.
ISO/IEC 27018:2019 – Information Technology – Security Techniques – Code Of Practice For Protection Of Personally Identifiable Information (PII) In Public Clouds Acting As PII Processors is available on the ANSI Webstore. It is also part of the following standards packages: