Privacy is a growing concern in today’s compliance environment.
Existing and new requirements continue to push for organizations to properly address their privacy risk.
As a cloud provider, there is no better way to help ensure that an organization is serious about their customers and their customers’ data than to include the control requirements from ISO 27018 into their compliance stack.
2. • Introduction
• Framing out the Purpose
• What is ISO 27018
• What is the Approach to ISO 27018
• How can ISO 27018 be Applied to an ISMS
• Market Acceptance of ISO 27018
• Q&A
Agenda
4. • Prospects or customers need assurance
• No access to data but the data, though encrypted, resides
in your cloud
• Concern that there may be a breach, disclosure, violation of
regulation / compliance (HIPAA, GDPR, Privacy Shield)
• Maintain SOC 2 and ISO 27001
Purpose – Scenario
5. • Enter ISO 27018
• Specifically crafted for cloud providers and how they
handle PII in the cloud
• Additional control implementation guidance on ISO 27002
controls
• Extended control considerations from ISO 29100 (Privacy
Framework)
Purpose – Solution
7. • Code of practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors
• Issued August 1, 2014
• Commonly accepted control objectives, controls and
guidelines for implementing measures to protect PII in
accordance with the privacy principles in ISO/IEC 29100 for
the public cloud computing environment.
ISO 27018 Overview
8. • Alignment to ISO 27001 Annex A / ISO 27002
• Public cloud PII protection control implementation guidance
• Not intended to be a unique control set
• e.g. A6.1.2 – segregation of duties
(nothing unique from 27018 to meet this control requirement)
• Recommendations not Requirements
• Should v Shall
27018 Design
9. • 14 ISO 27001 Annex A controls included with additional
implementation guidance applicable to protecting PII in the
public cloud
• A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4), A13 (1), A16
(1), A18 (1)
• 25 extended controls (based on 11 privacy principles of ISO/IEC 29100)
• Act as additional control to complement that of Annex A
27018 – The Numbers
10. 27018 Control Association
ISO 27001 Annex A control domains with
supplement guidance from ISO 27018
Domain Title Comment
5 Information Security Policies Sector-specific implementation guidance and other information provided
7 Human Resources Security Sector-specific implementation guidance and other information provided
Domain Title Comment
6 Organization of Information Security Sector-specific implementation guidance is provided
10 Cryptography Sector-specific implementation guidance is provided
12 Operation Security Sector-specific implementation guidance is provided
16 Information Security Incident Management Sector-specific implementation guidance is provided
11. Domain Title Comment
9 Access Control Sector-specific implementation guidance is provided with a cross reference to
controls in Annex A
11 Physical and Environmental Security Sector-specific implementation guidance is provided with a cross reference to
controls in Annex A
13 Communications Security Sector-specific implementation guidance is provided with a cross reference to
controls in Annex A
18 Compliance Sector-specific implementation guidance is provided with a cross reference to
controls in Annex A
27018 Depth – Supplemental Controls
ISO 27001 Annex A control domains with
supplement guidance from ISO 27018
12. Domain Title Comment
8 Asset Management No additional sector-specific guidance or other information provided
14 System Acquisition, Dev, and Maintenance No additional sector-specific guidance or other information provided
15 Supplier Relationships No additional sector-specific guidance or other information provided
17 Information Security Aspects of BCM No additional sector-specific guidance or other information provided
27018 Depth – Supplemental Controls
ISO 27001 Annex A control domains not
impacted by ISO 27018
13. Domain Title Comment
1 Consent and choice 1 Control – Obligation to cooperating regarding PII principal’s rights
2 Purpose legitimacy and specification 2 Controls – (1) Public cloud PII Processor’s purpose; (2) Public cloud PII
processor’s commercial use
3 Collection limitation No extended controls applicable
4 Data minimization 1 Control – Secure erasure of temporary files
5 Use, retention, and disclosure limitation 2 Controls – (1) PII disclosure notification; (2) Recording of PII disclosures
6 Accuracy and quality No extended controls applicable
7 Openness, transparency, and notice 1 Control – Disclosure of subcontracted PII processing
8 Individual participation and access No extended controls applicable
27018 Depth – Extended Controls
ISO 29100 control domains included as
extended controls in ISO 27018
14. Domain Title Comment
9 Accountability 3 Controls – (1) Notification of a data breach involving PII; (2) Retention period for
administrative security policies and guidelines; (3) PII return, transfer and disposal
10 Information security 13 Controls – (1) Confidentiality or non-disclosure agreements; (2) Restriction on
the creation of hardcopy material; (3) Control and logging of data restoration; (4)
Protecting data on storage media leaving the premises; (5) Use of unencrypted
portable storage media and devices; (6) Encryption of PII transmitted over public
data-transmission networks; (7) Secure disposal of hardcopy materials; (8) Unique
use of user IDs; (9) Records of authorized users; (10) User ID management; (11)
Contract measures; (12) sub-contracted PII processing; (13) Access to data on pre-
used data storage space
11 Privacy compliance 2 Controls – (1) Geographical location of PII; (2) Intended destination of PII
27018 Depth – Extended Controls
ISO 29100 control domains included as
extended controls in ISO 27018
16. • Inclusion into a certified ISMS
• Unaccredited certificate
• Attestation report
• Benchmark assessment
Options
17. • Initial Certification
• Stage 2 incorporation of ISO 27018
• Statement of applicability acts as a audit road map
• Surveillance / Recertification
• Perform regular maintenance review to ensure continued
conformance and operating effectiveness of the ISMS
• Apply heavier focus on inclusion of ISO 27018
ISMS Option – Initial Certification
18. • Specifically focus on inclusion of ISO 27018
• Assess relevant elements of ISMS and supplemental /
extended controls
ISMS Option – Scope Expansion
19. • Included as a part of the scope statement, related to SOA
based on ISO 27018, on accredited 27001 certificate
• Demonstrates active management system that supports
those controls from 27018 (risk assessment, internal audit,
measurement and monitoring, etc.)
• Available on certificate directory
• No unique mark or accredited certificate issued for ISO
ISMS Option – Certificate
20. • Assessment against controls in ISO 27002 and ISO
27018 (full control assessment)
• Does not require ISO 27001 certification as prerequisite
• Can be performed by any organization at any time
• Deliverable of certificate
• Would not include accreditation body mark (i.e. ANAB or UKAS)
Unaccredited Certificate
21. • Assessment against controls in ISO 27002 and ISO
27018 (full control assessment – like unaccredited
certificate)
• Does not require ISO 27001 certification as prerequisite
• Can be performed by CPA firm at any time
• Deliverable of attestation report including opinion letter
and assertion letter, system description, and identification
Attestation Report
22. • Assessment against controls in ISO 27002 and ISO
27018 (full control assessment – like unaccredited
certificate)
• Does not require ISO 27001 certification as prerequisite
• Can be performed by any organization at any time
• Deliverable of assessment report including description of
audit performed and identification of controls in place
Benchmark Assessment
24. • Modify the scope statement as applicable
• Ensure appropriate inclusion through identification of:
• Internal and external issues
• Needs and expectations of interested parties
• Interfaces and dependencies performed by the organization and
those performed by other organization
Design – Scope (Clause 4)
25. • Identification of supplemental and extended controls
through the risk assessment process
• Controls should be necessary to mitigate risk applicable
to scope
• Apply appropriate treatment if necessary
Design – Risk Assessment (Clause 6)
26. • Incorporate supplemental / extended controls into the SOA
• Justification of inclusion / exclusion still apply (for entire
related standard)
• Determine if the supplemental / extended control is in place
Design – Statement of Applicability
(Clause 6)
27. • Modify the information security objectives as appropriate
• Ensure to measure any modification to the information
security objectives
Design – Objectives (Clause 6)
28. • Measure key supplemental / extended controls to ensure
effectiveness
• Ensure appropriate and proper criteria is applied
• Include relevant personnel
Monitoring – Measurement (Clause 9.1)
29. • Incorporation into audit plan / program
• Assessment of results
• Planned remediation
Monitoring – Internal Audit (Clause 9.2)
31. • Major cloud providers (AWS, Azure, Salesforce, GE
Digital etc.) early adopters
• ISMS inclusion and separate certificates
• CSA incorporation into their Cloud Control Matrix
(CCM)
• General Data Protection Regulation (GDPR)
Market Driven
32. • Likely to be proportionate to the 27001 growth
(relative to cloud providers)
• 20% globally and 78% in North America from 2014-
2015
• Not market differentiator but market denomitator
ISO 27018 Growth