866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

How Does ISO 27018 Impact Cloud Service Providers? Blog Feature
RYAN MACKIE

By: RYAN MACKIE

Print/Save as PDF

How Does ISO 27018 Impact Cloud Service Providers?

ISO Certifications

According to the Identity Theft Resource Center, we saw 781 data breaches in 2015 that totaled hundreds of millions of stolen records, many of which included personally identifiable information about customers—names, addresses and Social Security numbers.

But this isn’t because all cloud service providers have weak security. Quite the contrary, actually. Their entire focus is on finding new ways to keep data safe and secure, and they aren’t alone in this endeavor. In addition to their efforts, governing bodies like the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are also devising new standards and guidelines to help provide guidance on data protection.

In July 2014, the ISO and IEC inaugurated a new security standard in the 27000 family of standards – ISO 27018. Essentially, this standard outlines best practices for private and public cloud service providers on how to better protect personally identifiable information (PII). Naturally, it’s raising a lot of questions, like what exactly is it? And, do I need to become certified? Here’s what cloud providers need to know about the standard.

What is ISO 27018?

ISO 27018 is the first privacy-specific international standard for cloud service providers that is custom tailored to address cloud computing services. It contains specific guidelines related to reducing information security risks applicable to PII in a public cloud offering.  It is constructed to supplement the control set within Annex A of ISO/IEC 27001:2013 as well as include extended controls unique to cloud service providers that are associated with the 11 privacy principles within ISO 29100.

Key Guidelines

ISO 27018 outlines several key guidelines to which certified cloud service providers could include in their control framework to demonstrate conformance to the standard.  These guidelines including the following:

  1. PII cannot be used for business marketing or advertising purposes unless the customer consents to such use. The customer has control over their own data and the cloud provider is restricted to processing PII only in accordance with the customer’s instruction.
  1. Cloud service providers are required to handle PII in a specific manner when transmitting over public networks, storing on mobile devices or recovering or restoring data. The cloud service provider (and relevant staff) must also sign a confidentiality agreement and provide specialized training for employees who will be directly processing PII.
  1. If a data breach occurs, the provider is to notify the customer immediately, maintain a clear record of the incident and assist their customer in remaining compliant with their own security obligations.
  1. Cloud service providers must disclose the names of any sub-processors (and any location information about where PII may be processed) before a contract is signed. If the provider changes sub-processors mid-contract, it must also disclose this information and provide the customer with the right to terminate the contract.

Early adopters of ISO 27018 include  Dimenson Data; however, any organization that processes PII in the cloud can consider conforming to the guidelines within ISO 27018 to complement their current ISO 27001 certification. This includes private, public, government and nonprofit entities.

Despite the benefits of this global standard specifically applicable to PII in the cloud, the vast majority of cloud providers still haven’t jumped on the bandwagon. But those closely tied to the industry believe it’s only a matter of time before the broader market expects demonstration of conforming to ISO 27018

Benefits of ISO 27018

There are several benefits to including ISO 27018 in your compliance framework.  The most obvious include:

Increased Customer Confidence
To begin with, customers feel more assured in trusting a cloud service provider  that can demonstrate third party validation of market-specific best practices. If a cloud service provider conforms to ISO 27018, that means it has a deep understanding of how to safely handle PII and is dedicated to protecting its customers’ data. This helps it differentiate its brand from competitors.

Streamlined Global Operations
Because ISO 27018 guidelines are universal and apply to other countries in addition to the United States, conformance makes it easier for cloud service providers to participate in the global marketplace and for customers to sign international contracts.

Quicker Contract Process
It’s not uncommon for a customer to ask a cloud service provider to answer several questions about its standard practice for handling PII. With conforming to ISO 27018, many of these questions can be addressed through your deliverable.

There’s also the issue of cyber insurance. Cyber insurance is necessary to cover the cost of a data breach or other privacy violation. It’s expensive, lacks a standard and it can derail the contract process—fast. But cyber insurance companies prefer to see security credentials, like ISO 27018, and their terms and conditions reflect it.

Legal Protection for Providers and Users
The guidelines and control set within the ISO 27018 standard hold up against audits, customer inquiries and other government reviews. Essentially, the standard is like a “safe harbor” against data breaches because it proves the provider was not negligent in their efforts to protect PII.

With so many benefits applicable to the ISO 27018 standard, it is a wonder that many cloud service providers are still contemplating the incorporation of ISO 27018 in their compliance framework and point to reasons that include cost, implementation timeline, maintenance requirements, and market acceptance. But this is only prolonging the inevitable and puts cloud providers and their customers at risk.

Like all other compliance efforts (HIPAA, SSAE, etc.), it’s likely ISO 27018 will eventually become the industry standard, which means cloud service providers need to give it serious consideration now, as it may just be what you need to gain greater customer appreciation and differentiate yourself from the competition.

 

About RYAN MACKIE

Ryan Mackie is a Managing Principal at Schellman, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.