What is this standard about?
It is a sector-specific supplement to BS ISO/IEC 27001:2013 and BS ISO/IEC 27002:2013 for use by organizations providing public cloud services. It contains additional privacy controls and guidance for use when processing Personally Identifiable Information (PII).
Who is this standard for?
It applies to any organization which provides information processing services as PII processors via cloud computing under contract. These could include:
- Public and private companies
- Government organizations
- Not-for-profit organizations
It will also be useful to:
- In house IT operators/auditors/designers of information management systems
- Data security industry
- IT regulators
Why should you use this standard?
The adoption of cloud computing in all sectors of the economy is being promoted in order to boost productivity; however concerns over privacy and security have acted as a barrier to migrating data to the cloud.
BS ISO/IEC 27018 was introduced to provide an auditable standard for cloud service providers, by enabling customers to meet their own regulatory obligations on data security.
It establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. It specifies guidelines based on ISO/IEC 27002, taking into consideration the regulatory requirements for the protection of PII which may be applicable within the context of the information security risk environment(s) of a provider of public cloud services.
It is an essential step towards ensuring compliance with the principles in the new Data Protection Act and boosting customer confidence in cloud computing technologies.