Implementing ISO 27018 controls and earning a certification also helps protect your business against charges of negligence or recklessness in the event that a breach was to occur. Simply put, following these standards helps you reduce security risk since they are recognized as some of the comprehensive in cloud computing applications. Improved Security And Legal ProtectionĮarning the ISO 27001/27018 certification is an important part of establishing a baseline of security for any business that processes data in the cloud. However, it’s always important to consult a data privacy attorney skilled in the laws of the specific country you’re trying to do business in to ensure that you’re compliant. Note: Following ISO 27018 will streamline cloud privacy in many instances, given its global acceptance. That means it’s easier for cloud service providers to provide assurances on their security practices if they’re doing business globally, as the standard is recognized in most countries. Since ISO 27018 is an extension of ISO 27001, it’s part of an internationally recognized standard. Here are four additional ways ISO 27018 compliance benefits businesses. For cloud service providers: If you’re ISO 27018-compliant, it makes it easier to close deals with prospective customers because you can say, “We follow the most comprehensive data controls.”.
For cloud service customers: If you can show consumers that their data is protected by comprehensive PII protection standards (by working with cloud service providers that follow ISO 27018), they’ll be more likely to do business with you.Why ISO 27018 Compliance Is BeneficialĪ study by PWC found that “85% of consumers will not do business with a company if they have concerns about its security practices.” Simply put, ISO 27018 compliance is a competitive advantage for both cloud service providers and their customers: In plain English, that means ISO 27018 is now considered a set of guidelines and controls that enhance ISO 27001 (the standard for building an information security management system or ISMS), rather than a standard for organizations to certify against.Ĭloud service providers should instead certify against ISO 27001 using 27018 guidelines in the event that they process PII. Instead, the latest revision replaces all mentions of “standard” with the word “document.” However, one noteworthy revision to point out, from a certification standpoint, is that ISO 27018 is no longer referred to as a “standard” within the document itself.
The differences between the two versions are minor and do not change the best practices for protecting PII in cloud computing and public cloud applications in any major way.Īs ISO states in Section 2 of the 2019 version, “This second edition cancels and replaces the first edition (ISO/IEC 27018:2014).” It goes on to explain that the revisions are primarily to correct an editorial mistake in Annex A.
And since the standard isn’t free to the public, we’ve combed through it to help you make intelligent decisions on compliance and certification.īelow are the most important things you need to know about ISO 27018 and why it’s a good idea to follow. ISO 27018 adds new guidelines, enhancements, and security controls to the ISO/IEC 27001 and ISO/IEC 27002 standards, which help cloud service providers better manage the data security risks unique to PII in cloud computing.Īlthough ISO 27018 is not a law, there are a number of benefits to following its guidelines and earning certification (more on this below). ISO 27018 is part of the ISO 27000 family of standards, which define best practices for information security management. Its main objective, according to the International Organization for Standardization (ISO), is to establish “commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII).” ISO 27018 is the first international standard created specifically for data privacy in cloud computing.