ISO 27018: What Cloud Providers Need to Know

August 29, 2016 Ryan Mackie

According to the Identity Theft Resource Center, we saw 781 data breaches in 2015 that totaled hundreds of millions of stolen records, many of which included personally identifiable information about customers—names, addresses and Social Security numbers.

But this isn’t because all cloud service providers have weak security. Quite the contrary, actually. Their entire focus is on finding new ways to keep data safe and secure, and they aren’t alone in this endeavor. In addition to their efforts, governing bodies like the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are also devising new standards and guidelines to help provide guidance on data protection.

In July 2014, the ISO and IEC inaugurated a new security standard in the 27000 family of standards ISO 27018. Essentially, this standard outlines best practices for private and public cloud service providers on how to better protect personally identifiable information (PII). Naturally, it’s raising a lot of questions, like what exactly is it? And, do I need to become certified? Here’s what cloud providers need to know about the standard.

What is ISO 27018?

ISO 27018 is the first privacy-specific international standard for cloud service providers that is custom tailored to address cloud computing services. It contains specific guidelines related to reducing information security risks applicable to PII in a public cloud offering.  It is constructed to supplement the control set within Annex A of ISO/IEC 27001:2013 as well as include extended controls unique to cloud service providers that are associated with the 11 privacy principles within ISO 29100.

Key Guidelines

ISO27018 outlines several key guidelines to which certified cloud service providers could include in their control framework to demonstrate conformance to the standard.  These guidelines including the following:

  1. PII cannot be used for business marketing or advertising purposes unless the customer consents to such use. The customer has control over their own data and the cloud provider is restricted to processing PII only in accordance with the customer’s instruction.
  1. Cloud service providers are required to handle PII in a specific manner when transmitting over public networks, storing on mobile devices or recovering or restoring data. The cloud service provider (and relevant staff) must also sign a confidentiality agreement and provide specialized training for employees who will be directly processing PII.
  1. If a data breach occurs, the provider is to notify the customer immediately, maintain a clear record of the incident and assist their customer in remaining compliant with their own security obligations.
  1. Cloud service providers must disclose the names of any sub-processors (and any location information about where PII may be processed) before a contract is signed. If the provider changes sub-processors mid-contract, it must also disclose this information and provide the customer with the right to terminate the contract.

Early adopters of ISO 27018 include Dropbox and Microsoft; however, any organization that processes PII in the cloud can consider conforming to the guidelines within ISO 27018 to complement their current ISO 27001 certification. This includes private, public, government and nonprofit entities.

Despite the benefits of this global standard specifically applicable to PII in the cloud, the vast majority of cloud providers still haven’t jumped on the bandwagon. But those closely tied to the industry believe it’s only a matter of time before the broader market expects demonstration of conforming to ISO 27018

Benefits of ISO 27018

There are several benefits to including ISO 27018 in your compliance framework. The most obvious include: 

Increased Customer Confidence
To begin with, customers feel more assured in trusting a cloud service provider  that can demonstrate third party validation of market-specific best practices. If a cloud service provider conforms to ISO 27018, that means it has a deep understanding of how to safely handle PII and is dedicated to protecting its customers’ data. This helps it differentiate its brand from competitors.

Streamlined Global Operations
Because ISO 27018 guidelines are universal and apply to other countries in addition to the United States, conformance makes it easier for cloud service providers to participate in the global marketplace and for customers to sign international contracts.

Quicker Contract Process
It’s not uncommon for a customer to ask a cloud service provider to answer several questions about its standard practice for handling PII. With conforming to ISO 27018, many of these questions can be addressed through your deliverable.

There’s also the issue of cyber insurance. Cyber insurance is necessary to cover the cost of a data breach or other privacy violation. It’s expensive, lacks a standard and it can derail the contract process—fast. But cyber insurance companies prefer to see security credentials, like ISO 27018, and their terms and conditions reflect it.

Legal Protection for Providers and Users
The guidelines and control set within the ISO 27018 standard hold up against audits, customer inquiries and other government reviews. Essentially, the standard is like a “safe harbor” against data breaches because it proves the provider was not negligent in their efforts to protect PII.

With so many benefits applicable to the ISO 27018 standard, it is a wonder that many cloud service providers are still contemplating the incorporation of ISO 27018 in their compliance framework and point to reasons that include cost, implementation timeline, maintenance requirements, and market acceptance. But this is only prolonging the inevitable and puts cloud providers and their customers at risk.

Like all other compliance efforts (HIPAA, SSAE, etc.), it’s likely ISO 27018 will eventually become the industry standard, which means cloud service providers need to give it serious consideration now, as it may just be what you need to gain greater customer appreciation and differentiate yourself from the competition.

About the Author

Ryan Mackie

Ryan Mackie is a Principal at Schellman & Company, LLC, and has been with the firm since 2005. Ryan supports the regional Florida market and manages SOC, PCI-DSS, ISO, HIPAA, and Cloud Security Alliance (CSA) STAR Certification and Attestation service delivery. He also oversees the firm-wide methodology and execution for the ISO certification services, including ISO 27001, ISO 9001, ISO 20000-1, and ISO 22301 as well as CSA STAR certification services. He has over 25 years of experience. Ryan also is an active member of the CSA and co-chairs the Open Control Framework committee which is responsible for the CSA STAR Program methodology and execution.

More Content by Ryan Mackie
Previous Article
Picking between ISO 27001 or SOC 2
Picking between ISO 27001 or SOC 2

With the rising popularity of compliance efforts today driven by factors such as customer demand...

Next Article
An Introduction to CSA STAR and ISO 27001
An Introduction to CSA STAR and ISO 27001

Curious about the CSA STAR Program or how its certification works together with ISO 27001? We answer basic ...