ISO 27018 has a full name as ISO/IEC 27018 which comes for the protection of personally identifiable information in public clouds and offers focus to the protection of personal data in the cloud. The working of ISO 27018 happens in two ways: it augments the existing capacity controls of ISO 27002 with some specific items for cloud privacy and provides complete security controls for personal data.
ISO 27018 Policies
In ISO 27018, the Information security policies are kept moderate and different other items are kept low. Some of these items are access controls, asset management, human resource security, organization of information security, cryptography, physical and environmental security, communication security, etc.
New Controls for Cloud Privacy
Annex A of ISO 27018 lists the following additional controls which must be implemented if you want to increase the level of protection of your personal data in the cloud:
- Customer’s right for accessing or deleting the data
- Using customer’s data only for the purpose for which it was provided
- No marketing or advertising through the data
- Deleting the temporary files
- Recording of all the disclosures of personal data
- Notify the customers if their data is being breached
- Management of documents for cloud policies and procedures
- Procedure for data restoration
- Restriction of printing the personal data
- Usage of unique IDs for cloud customers
- Disable the usage of expired user IDs
Difference between ISO 27001 and 27018?
ISO 27001 is focused on high level management system documentation and a continuous improvement cycle related to Plan, Do, Check, Act (PDCA). ISO 27001 has a generic set of controls and control objectives to consider “if applicable” called Annex A Controls. ISO 27018 contains additional specific controls to consider “if applicable”, related to the protection of PII in public clouds if used or accessed by an organizations products and/or services offerings.
ISO 27018 mapping using ISO Manager Software (a sister company of SecuraStar)
ISO Manager Software (SaaS) is a proprietary software to help manage ISO 27001 requirements including the mapping of assets, threat and vulnerabilities and selected controls to various GRC requirements including ISO 27018. The software can map controls to any GRC requirement by sharing information from the risk assessment into each GRC requirement using Annex A as the middle man.
Get a ISO Manager Software demo today to see how its GRC mapping tool can help your organization comply simply to GRC audits.