SlideShare a Scribd company logo

Privacy in the Cloud- Introduction to ISO 27018

Schellman & Company
Schellman & Company

Privacy is a growing concern in today’s compliance environment. Existing and new requirements continue to push for organizations to properly address their privacy risk. As a cloud provider, there is no better way to help ensure that an organization is serious about their customers and their customers’ data than to include the control requirements from ISO 27018 into their compliance stack.

Technology
1 of 33
Download to read offline
PRIVACY IN THE CLOUD An Introduction to ISO/IEC 27018
• Introduction • Framing out the Purpose • What is ISO 27018 • What is the Approach to ISO 27018 • How can ISO 27018 be Applied to an ISMS • Market Acceptance of ISO 27018 • Q&A Agenda
1 Framing out the Purpose
• Prospects or customers need assurance • No access to data but the data, though encrypted, resides in your cloud • Concern that there may be a breach, disclosure, violation of regulation / compliance (HIPAA, GDPR, Privacy Shield) • Maintain SOC 2 and ISO 27001 Purpose – Scenario
• Enter ISO 27018 • Specifically crafted for cloud providers and how they handle PII in the cloud • Additional control implementation guidance on ISO 27002 controls • Extended control considerations from ISO 29100 (Privacy Framework) Purpose – Solution
2 What is ISO 27018?
• Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors • Issued August 1, 2014 • Commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. ISO 27018 Overview
• Alignment to ISO 27001 Annex A / ISO 27002 • Public cloud PII protection control implementation guidance • Not intended to be a unique control set • e.g. A6.1.2 – segregation of duties (nothing unique from 27018 to meet this control requirement) • Recommendations not Requirements • Should v Shall 27018 Design
• 14 ISO 27001 Annex A controls included with additional implementation guidance applicable to protecting PII in the public cloud • A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4), A13 (1), A16 (1), A18 (1) • 25 extended controls (based on 11 privacy principles of ISO/IEC 29100) • Act as additional control to complement that of Annex A 27018 – The Numbers
27018 Control Association ISO 27001 Annex A control domains with supplement guidance from ISO 27018 Domain Title Comment 5 Information Security Policies Sector-specific implementation guidance and other information provided 7 Human Resources Security Sector-specific implementation guidance and other information provided Domain Title Comment 6 Organization of Information Security Sector-specific implementation guidance is provided 10 Cryptography Sector-specific implementation guidance is provided 12 Operation Security Sector-specific implementation guidance is provided 16 Information Security Incident Management Sector-specific implementation guidance is provided
Domain Title Comment 9 Access Control Sector-specific implementation guidance is provided with a cross reference to controls in Annex A 11 Physical and Environmental Security Sector-specific implementation guidance is provided with a cross reference to controls in Annex A 13 Communications Security Sector-specific implementation guidance is provided with a cross reference to controls in Annex A 18 Compliance Sector-specific implementation guidance is provided with a cross reference to controls in Annex A 27018 Depth – Supplemental Controls ISO 27001 Annex A control domains with supplement guidance from ISO 27018
Domain Title Comment 8 Asset Management No additional sector-specific guidance or other information provided 14 System Acquisition, Dev, and Maintenance No additional sector-specific guidance or other information provided 15 Supplier Relationships No additional sector-specific guidance or other information provided 17 Information Security Aspects of BCM No additional sector-specific guidance or other information provided 27018 Depth – Supplemental Controls ISO 27001 Annex A control domains not impacted by ISO 27018
Domain Title Comment 1 Consent and choice 1 Control – Obligation to cooperating regarding PII principal’s rights 2 Purpose legitimacy and specification 2 Controls – (1) Public cloud PII Processor’s purpose; (2) Public cloud PII processor’s commercial use 3 Collection limitation No extended controls applicable 4 Data minimization 1 Control – Secure erasure of temporary files 5 Use, retention, and disclosure limitation 2 Controls – (1) PII disclosure notification; (2) Recording of PII disclosures 6 Accuracy and quality No extended controls applicable 7 Openness, transparency, and notice 1 Control – Disclosure of subcontracted PII processing 8 Individual participation and access No extended controls applicable 27018 Depth – Extended Controls ISO 29100 control domains included as extended controls in ISO 27018
Domain Title Comment 9 Accountability 3 Controls – (1) Notification of a data breach involving PII; (2) Retention period for administrative security policies and guidelines; (3) PII return, transfer and disposal 10 Information security 13 Controls – (1) Confidentiality or non-disclosure agreements; (2) Restriction on the creation of hardcopy material; (3) Control and logging of data restoration; (4) Protecting data on storage media leaving the premises; (5) Use of unencrypted portable storage media and devices; (6) Encryption of PII transmitted over public data-transmission networks; (7) Secure disposal of hardcopy materials; (8) Unique use of user IDs; (9) Records of authorized users; (10) User ID management; (11) Contract measures; (12) sub-contracted PII processing; (13) Access to data on pre- used data storage space 11 Privacy compliance 2 Controls – (1) Geographical location of PII; (2) Intended destination of PII 27018 Depth – Extended Controls ISO 29100 control domains included as extended controls in ISO 27018
3 What is the Approach for ISO 27018?
• Inclusion into a certified ISMS • Unaccredited certificate • Attestation report • Benchmark assessment Options
• Initial Certification • Stage 2 incorporation of ISO 27018 • Statement of applicability acts as a audit road map • Surveillance / Recertification • Perform regular maintenance review to ensure continued conformance and operating effectiveness of the ISMS • Apply heavier focus on inclusion of ISO 27018 ISMS Option – Initial Certification
• Specifically focus on inclusion of ISO 27018 • Assess relevant elements of ISMS and supplemental / extended controls ISMS Option – Scope Expansion
• Included as a part of the scope statement, related to SOA based on ISO 27018, on accredited 27001 certificate • Demonstrates active management system that supports those controls from 27018 (risk assessment, internal audit, measurement and monitoring, etc.) • Available on certificate directory • No unique mark or accredited certificate issued for ISO ISMS Option – Certificate
• Assessment against controls in ISO 27002 and ISO 27018 (full control assessment) • Does not require ISO 27001 certification as prerequisite • Can be performed by any organization at any time • Deliverable of certificate • Would not include accreditation body mark (i.e. ANAB or UKAS) Unaccredited Certificate
• Assessment against controls in ISO 27002 and ISO 27018 (full control assessment – like unaccredited certificate) • Does not require ISO 27001 certification as prerequisite • Can be performed by CPA firm at any time • Deliverable of attestation report including opinion letter and assertion letter, system description, and identification Attestation Report
• Assessment against controls in ISO 27002 and ISO 27018 (full control assessment – like unaccredited certificate) • Does not require ISO 27001 certification as prerequisite • Can be performed by any organization at any time • Deliverable of assessment report including description of audit performed and identification of controls in place Benchmark Assessment
4 How can ISO 27018 be Applied to an ISMS?
• Modify the scope statement as applicable • Ensure appropriate inclusion through identification of: • Internal and external issues • Needs and expectations of interested parties • Interfaces and dependencies performed by the organization and those performed by other organization Design – Scope (Clause 4)
• Identification of supplemental and extended controls through the risk assessment process • Controls should be necessary to mitigate risk applicable to scope • Apply appropriate treatment if necessary Design – Risk Assessment (Clause 6)
• Incorporate supplemental / extended controls into the SOA • Justification of inclusion / exclusion still apply (for entire related standard) • Determine if the supplemental / extended control is in place Design – Statement of Applicability (Clause 6)
• Modify the information security objectives as appropriate • Ensure to measure any modification to the information security objectives Design – Objectives (Clause 6)
• Measure key supplemental / extended controls to ensure effectiveness • Ensure appropriate and proper criteria is applied • Include relevant personnel Monitoring – Measurement (Clause 9.1)
• Incorporation into audit plan / program • Assessment of results • Planned remediation Monitoring – Internal Audit (Clause 9.2)
5 Market Acceptance of ISO 27018
• Major cloud providers (AWS, Azure, Salesforce, GE Digital etc.) early adopters • ISMS inclusion and separate certificates • CSA incorporation into their Cloud Control Matrix (CCM) • General Data Protection Regulation (GDPR) Market Driven
• Likely to be proportionate to the 27001 growth (relative to cloud providers) • 20% globally and 78% in North America from 2014- 2015 • Not market differentiator but market denomitator ISO 27018 Growth
STAY UP-TO-DATE www.schellmanco.com

Recommended

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 

Recommended

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018
Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018Schellman & Company
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxforam74
 
ISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfISO 27001:2022 What has changed.pdf
ISO 27001:2022 What has changed.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 BenefitsDejan Kosutic
 
ISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCISO/IEC 27001 as a Starting Point for GRC
ISO/IEC 27001 as a Starting Point for GRCPECB
 
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPrivacy Trends: Key practical steps on ISO/IEC 27701:2019 implementation
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness TrainingDr Madhu Aman Sharma
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesCertification Europe
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 

More Related Content

What's hot

Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001technakama
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032PECB
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesCertification Europe
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardPECB
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My OrganisationVigilant Software
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromMart Rovers
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMSAkhil Garg
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfSerkanRafetHalil1
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 

What's hot (20)

ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
ISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdfISO 27001 How to accelerate the implementation.pdf
ISO 27001 How to accelerate the implementation.pdf
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
ISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and ChallengesISO 27001 Certification - The Benefits and Challenges
ISO 27001 Certification - The Benefits and Challenges
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
 
Overview of ISO 27001 ISMS
Overview of ISO 27001 ISMSOverview of ISO 27001 ISMS
Overview of ISO 27001 ISMS
 
ISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdfISO 27001_2022 Standard_Presentation.pdf
ISO 27001_2022 Standard_Presentation.pdf
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 

Similar to Privacy in the Cloud- Introduction to ISO 27018

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?PECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowPECB
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowPECB
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxssuser00d6eb
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterOperational Excellence Consulting
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information TechnologyKathirvel Ayyaswamy
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxStevenTharp2
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingOperational Excellence Consulting
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdfSharudinBoriak1
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSchellman & Company
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassA-lign
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)Peter GEELEN ✔
 
ISO_27001_Auditor_Checklist.pdf
ISO_27001_Auditor_Checklist.pdfISO_27001_Auditor_Checklist.pdf
ISO_27001_Auditor_Checklist.pdfQasim965490
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Chandan Singh Ghodela
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...acinfotec
 

Similar to Privacy in the Cloud- Introduction to ISO 27018 (20)

ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
english_bok_ismp_202306.pptx
english_bok_ismp_202306.pptxenglish_bok_ismp_202306.pptx
english_bok_ismp_202306.pptx
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness PosterISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Poster
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 
L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptx
 
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness TrainingISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
ISO/IEC 27001:2022 (Information Security Management Systems) Awareness Training
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
 
541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf541728869-Introduction-to-ISO-27001.pdf
541728869-Introduction-to-ISO-27001.pdf
 
STAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 CertifiedSTAND OUT: Why You Should Become ISO 27001 Certified
STAND OUT: Why You Should Become ISO 27001 Certified
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access Pass
 
ISO 27001 definitions
ISO 27001 definitionsISO 27001 definitions
ISO 27001 definitions
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 
20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)20201014 iso27001 iso27701 nist v2 (extended version)
20201014 iso27001 iso27701 nist v2 (extended version)
 
ISO_27001_Auditor_Checklist.pdf
ISO_27001_Auditor_Checklist.pdfISO_27001_Auditor_Checklist.pdf
ISO_27001_Auditor_Checklist.pdf
 
Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001Whitepaper iso 27001_isms | All about ISO 27001
Whitepaper iso 27001_isms | All about ISO 27001
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
 
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
C-SEC|2016 Session 1 Addressing Cyber Threats with Modern Security Framework_...
 

More from Schellman & Company

Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceSchellman & Company
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataSchellman & Company
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Schellman & Company
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingSchellman & Company
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationSchellman & Company
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSchellman & Company
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesSchellman & Company
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP ComplianceSchellman & Company
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Schellman & Company
 

More from Schellman & Company (17)

Demystifying the Cyber NISTs
Demystifying the Cyber NISTsDemystifying the Cyber NISTs
Demystifying the Cyber NISTs
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 
Privacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU DataPrivacy shield: What You Need To Know About Storing EU Data
Privacy shield: What You Need To Know About Storing EU Data
 
Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1Everything You Need To Know About SOC 1
Everything You Need To Know About SOC 1
 
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...
 
PA-DSS and Application Penetration Testing
PA-DSS and Application Penetration TestingPA-DSS and Application Penetration Testing
PA-DSS and Application Penetration Testing
 
The CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & AttestationThe CSA STAR Program: Certification & Attestation
The CSA STAR Program: Certification & Attestation
 
Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017Get Ready Now for HITRUST 2017
Get Ready Now for HITRUST 2017
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
CSA STAR Program
CSA STAR ProgramCSA STAR Program
CSA STAR Program
 
SOC 2: Build Trust and Confidence
SOC 2: Build Trust and ConfidenceSOC 2: Build Trust and Confidence
SOC 2: Build Trust and Confidence
 
SOC 1 Overview
SOC 1 OverviewSOC 1 Overview
SOC 1 Overview
 
12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR12 Steps to Preparing for a QAR
12 Steps to Preparing for a QAR
 
EPCS Overview
EPCS OverviewEPCS Overview
EPCS Overview
 
PCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key UpdatesPCI DSS 3.0 Overview and Key Updates
PCI DSS 3.0 Overview and Key Updates
 
10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance10 Steps Toward FedRAMP Compliance
10 Steps Toward FedRAMP Compliance
 
Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?Your've Been Hacked in Florida! Now What?
Your've Been Hacked in Florida! Now What?
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Privacy in the Cloud- Introduction to ISO 27018

  • 1. PRIVACY IN THE CLOUD An Introduction to ISO/IEC 27018
  • 2. • Introduction • Framing out the Purpose • What is ISO 27018 • What is the Approach to ISO 27018 • How can ISO 27018 be Applied to an ISMS • Market Acceptance of ISO 27018 • Q&A Agenda
  • 4. • Prospects or customers need assurance • No access to data but the data, though encrypted, resides in your cloud • Concern that there may be a breach, disclosure, violation of regulation / compliance (HIPAA, GDPR, Privacy Shield) • Maintain SOC 2 and ISO 27001 Purpose – Scenario
  • 5. • Enter ISO 27018 • Specifically crafted for cloud providers and how they handle PII in the cloud • Additional control implementation guidance on ISO 27002 controls • Extended control considerations from ISO 29100 (Privacy Framework) Purpose – Solution
  • 6. 2 What is ISO 27018?
  • 7. • Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors • Issued August 1, 2014 • Commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. ISO 27018 Overview
  • 8. • Alignment to ISO 27001 Annex A / ISO 27002 • Public cloud PII protection control implementation guidance • Not intended to be a unique control set • e.g. A6.1.2 – segregation of duties (nothing unique from 27018 to meet this control requirement) • Recommendations not Requirements • Should v Shall 27018 Design
  • 9. • 14 ISO 27001 Annex A controls included with additional implementation guidance applicable to protecting PII in the public cloud • A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4), A13 (1), A16 (1), A18 (1) • 25 extended controls (based on 11 privacy principles of ISO/IEC 29100) • Act as additional control to complement that of Annex A 27018 – The Numbers
  • 10. 27018 Control Association ISO 27001 Annex A control domains with supplement guidance from ISO 27018 Domain Title Comment 5 Information Security Policies Sector-specific implementation guidance and other information provided 7 Human Resources Security Sector-specific implementation guidance and other information provided Domain Title Comment 6 Organization of Information Security Sector-specific implementation guidance is provided 10 Cryptography Sector-specific implementation guidance is provided 12 Operation Security Sector-specific implementation guidance is provided 16 Information Security Incident Management Sector-specific implementation guidance is provided
  • 11. Domain Title Comment 9 Access Control Sector-specific implementation guidance is provided with a cross reference to controls in Annex A 11 Physical and Environmental Security Sector-specific implementation guidance is provided with a cross reference to controls in Annex A 13 Communications Security Sector-specific implementation guidance is provided with a cross reference to controls in Annex A 18 Compliance Sector-specific implementation guidance is provided with a cross reference to controls in Annex A 27018 Depth – Supplemental Controls ISO 27001 Annex A control domains with supplement guidance from ISO 27018
  • 12. Domain Title Comment 8 Asset Management No additional sector-specific guidance or other information provided 14 System Acquisition, Dev, and Maintenance No additional sector-specific guidance or other information provided 15 Supplier Relationships No additional sector-specific guidance or other information provided 17 Information Security Aspects of BCM No additional sector-specific guidance or other information provided 27018 Depth – Supplemental Controls ISO 27001 Annex A control domains not impacted by ISO 27018
  • 13. Domain Title Comment 1 Consent and choice 1 Control – Obligation to cooperating regarding PII principal’s rights 2 Purpose legitimacy and specification 2 Controls – (1) Public cloud PII Processor’s purpose; (2) Public cloud PII processor’s commercial use 3 Collection limitation No extended controls applicable 4 Data minimization 1 Control – Secure erasure of temporary files 5 Use, retention, and disclosure limitation 2 Controls – (1) PII disclosure notification; (2) Recording of PII disclosures 6 Accuracy and quality No extended controls applicable 7 Openness, transparency, and notice 1 Control – Disclosure of subcontracted PII processing 8 Individual participation and access No extended controls applicable 27018 Depth – Extended Controls ISO 29100 control domains included as extended controls in ISO 27018
  • 14. Domain Title Comment 9 Accountability 3 Controls – (1) Notification of a data breach involving PII; (2) Retention period for administrative security policies and guidelines; (3) PII return, transfer and disposal 10 Information security 13 Controls – (1) Confidentiality or non-disclosure agreements; (2) Restriction on the creation of hardcopy material; (3) Control and logging of data restoration; (4) Protecting data on storage media leaving the premises; (5) Use of unencrypted portable storage media and devices; (6) Encryption of PII transmitted over public data-transmission networks; (7) Secure disposal of hardcopy materials; (8) Unique use of user IDs; (9) Records of authorized users; (10) User ID management; (11) Contract measures; (12) sub-contracted PII processing; (13) Access to data on pre- used data storage space 11 Privacy compliance 2 Controls – (1) Geographical location of PII; (2) Intended destination of PII 27018 Depth – Extended Controls ISO 29100 control domains included as extended controls in ISO 27018
  • 15. 3 What is the Approach for ISO 27018?
  • 16. • Inclusion into a certified ISMS • Unaccredited certificate • Attestation report • Benchmark assessment Options
  • 17. • Initial Certification • Stage 2 incorporation of ISO 27018 • Statement of applicability acts as a audit road map • Surveillance / Recertification • Perform regular maintenance review to ensure continued conformance and operating effectiveness of the ISMS • Apply heavier focus on inclusion of ISO 27018 ISMS Option – Initial Certification
  • 18. • Specifically focus on inclusion of ISO 27018 • Assess relevant elements of ISMS and supplemental / extended controls ISMS Option – Scope Expansion
  • 19. • Included as a part of the scope statement, related to SOA based on ISO 27018, on accredited 27001 certificate • Demonstrates active management system that supports those controls from 27018 (risk assessment, internal audit, measurement and monitoring, etc.) • Available on certificate directory • No unique mark or accredited certificate issued for ISO ISMS Option – Certificate
  • 20. • Assessment against controls in ISO 27002 and ISO 27018 (full control assessment) • Does not require ISO 27001 certification as prerequisite • Can be performed by any organization at any time • Deliverable of certificate • Would not include accreditation body mark (i.e. ANAB or UKAS) Unaccredited Certificate
  • 21. • Assessment against controls in ISO 27002 and ISO 27018 (full control assessment – like unaccredited certificate) • Does not require ISO 27001 certification as prerequisite • Can be performed by CPA firm at any time • Deliverable of attestation report including opinion letter and assertion letter, system description, and identification Attestation Report
  • 22. • Assessment against controls in ISO 27002 and ISO 27018 (full control assessment – like unaccredited certificate) • Does not require ISO 27001 certification as prerequisite • Can be performed by any organization at any time • Deliverable of assessment report including description of audit performed and identification of controls in place Benchmark Assessment
  • 23. 4 How can ISO 27018 be Applied to an ISMS?
  • 24. • Modify the scope statement as applicable • Ensure appropriate inclusion through identification of: • Internal and external issues • Needs and expectations of interested parties • Interfaces and dependencies performed by the organization and those performed by other organization Design – Scope (Clause 4)
  • 25. • Identification of supplemental and extended controls through the risk assessment process • Controls should be necessary to mitigate risk applicable to scope • Apply appropriate treatment if necessary Design – Risk Assessment (Clause 6)
  • 26. • Incorporate supplemental / extended controls into the SOA • Justification of inclusion / exclusion still apply (for entire related standard) • Determine if the supplemental / extended control is in place Design – Statement of Applicability (Clause 6)
  • 27. • Modify the information security objectives as appropriate • Ensure to measure any modification to the information security objectives Design – Objectives (Clause 6)
  • 28. • Measure key supplemental / extended controls to ensure effectiveness • Ensure appropriate and proper criteria is applied • Include relevant personnel Monitoring – Measurement (Clause 9.1)
  • 29. • Incorporation into audit plan / program • Assessment of results • Planned remediation Monitoring – Internal Audit (Clause 9.2)
  • 31. • Major cloud providers (AWS, Azure, Salesforce, GE Digital etc.) early adopters • ISMS inclusion and separate certificates • CSA incorporation into their Cloud Control Matrix (CCM) • General Data Protection Regulation (GDPR) Market Driven
  • 32. • Likely to be proportionate to the 27001 growth (relative to cloud providers) • 20% globally and 78% in North America from 2014- 2015 • Not market differentiator but market denomitator ISO 27018 Growth