What is it?
ISO/IEC 27018 is a code of practice for all types and sizes of organizations that emphasizes the safeguarding of personally identifiable information (PII) in public clouds. It is an extension to an existing information security management system established for ISO/IEC 27001 standard, and is simply a set of additional controls and associated guidance intended to address public cloud PII protection requirements not addressed by the existing ISO/IEC 27001 control set.
Why do I need it?
Typically an organization implementing ISO/IEC 27001 is protecting its own information assets.
However, in the context of PII protection requirements for a public cloud computing service provider acting as a PII processor, the organization is protecting the information assets entrusted to it by its customers.
The ISO/IEC 27018 augments the ISO/IEC 27001 controls to accommodate the distributed nature of the risk and the existence of a contractual relationship between the cloud service customer and the public cloud PII processor.
As a cloud computing provider, alignment with ISO/IEC 27018 demonstrates to your customers that you have a system of controls that specifically address the privacy protection of their data. Having SSF provide you with an independent third-party assessment of this internationally recognized code of practice highlights your commitment to the privacy and protection of customer data.
What if I don’t process Personally Identifiable Information (PII)?
Alignment with ISO 27018 demonstrates that your company maintains a high level of data protection and privacy controls for your customer’s content, regardless of whether or not their data is PII.
Like all other compliance efforts (HIPAA, SOC, GDPR, etc.), its likely ISO/IEC 27018 will eventually become the standard by which cloud computing service providers are evaluated to confirm reasonable protection of sensitive data. Cloud computing providers need to give serious consideration to ISO/IEC 27018 to gain customer confidence and to differentiate their company from the competition.