PRIVACY IN

THE CLOUD

An Introduction to ISO/IEC 27018

• Introduction

• Framing out the Purpose

• What is ISO 27018

• What is the Approach to ISO 27018

• How can ISO 27018 be Applied to an ISMS

• Market Acceptance of ISO 27018

• Q&A

Agenda

1

Framing out the Purpose

• Prospects or customers need assurance

• No access to data but the data, though encrypted, resides

in your cloud

• Concern that there may be a breach, disclosure, violation of

regulation / compliance (HIPAA, GDPR, Privacy Shield)

• Maintain SOC 2 and ISO 27001

Purpose – Scenario

• Enter ISO 27018

• Specifically crafted for cloud providers and how they

handle PII in the cloud

• Additional control implementation guidance on ISO 27002

controls

• Extended control considerations from ISO 29100 (Privacy

Framework)

Purpose – Solution

2

What is ISO 27018?

• Code of practice for protection of personally identifiable

information (PII) in public clouds acting as PII processors

• Issued August 1, 2014

• Commonly accepted control objectives, controls and

guidelines for implementing measures to protect PII in

accordance with the privacy principles in ISO/IEC 29100 for

the public cloud computing environment.

ISO 27018 Overview

• Alignment to ISO 27001 Annex A / ISO 27002

• Public cloud PII protection control implementation guidance

• Not intended to be a unique control set

• e.g. A6.1.2 – segregation of duties

(nothing unique from 27018 to meet this control requirement)

• Recommendations not Requirements

• Should v Shall

27018 Design

• 14 ISO 27001 Annex A controls included with additional

implementation guidance applicable to protecting PII in the

public cloud

• A5 (1), A6 (1), A7 (1), A9 (2), A10 (1), A11 (1), A12 (4), A13 (1), A16

(1), A18 (1)

• 25 extended controls (based on 11 privacy principles of ISO/IEC 29100)

• Act as additional control to complement that of Annex A

27018 – The Numbers

27018 Control Association

ISO 27001 Annex A control domains with

supplement guidance from ISO 27018

Domain Title Comment

5 Information Security Policies Sector-specific implementation guidance and other information provided

7 Human Resources Security Sector-specific implementation guidance and other information provided

Domain Title Comment

6 Organization of Information Security Sector-specific implementation guidance is provided

10 Cryptography Sector-specific implementation guidance is provided

12 Operation Security Sector-specific implementation guidance is provided

16 Information Security Incident Management Sector-specific implementation guidance is provided

Domain Title Comment

9 Access Control Sector-specific implementation guidance is provided with a cross reference to controls in Annex A

11 Physical and Environmental Security Sector-specific implementation guidance is provided with a cross reference to controls in Annex A

13 Communications Security Sector-specific implementation guidance is provided with a cross reference to controls in Annex A

18 Compliance Sector-specific implementation guidance is provided with a cross reference to controls in Annex A

27018 Depth – Supplemental Controls

ISO 27001 Annex A control domains with

supplement guidance from ISO 27018

Domain Title Comment

8 Asset Management No additional sector-specific guidance or other information provided

14 System Acquisition, Dev, and Maintenance No additional sector-specific guidance or other information provided

15 Supplier Relationships No additional sector-specific guidance or other information provided

17 Information Security Aspects of BCM No additional sector-specific guidance or other information provided

27018 Depth – Supplemental Controls

ISO 27001 Annex A control domains not

impacted by ISO 27018

Domain Title Comment

1 Consent and choice 1 Control – Obligation to cooperating regarding PII principal’s rights

2 Purpose legitimacy and specification 2 Controls – (1) Public cloud PII Processor’s purpose; (2) Public cloud PII processor’s commercial use

3 Collection limitation No extended controls applicable

4 Data minimization 1 Control – Secure erasure of temporary files

5 Use, retention, and disclosure limitation 2 Controls – (1) PII disclosure notification; (2) Recording of PII disclosures

6 Accuracy and quality No extended controls applicable

7 Openness, transparency, and notice 1 Control – Disclosure of subcontracted PII processing

8 Individual participation and access No extended controls applicable

27018 Depth – Extended Controls

ISO 29100 control domains included as

extended controls in ISO 27018

Domain Title Comment

9 Accountability 3 Controls – (1) Notification of a data breach involving PII; (2) Retention period for administrative security policies and guidelines; (3) PII return, transfer and disposal

10 Information security 13 Controls – (1) Confidentiality or non-disclosure agreements; (2) Restriction on the creation of hardcopy material; (3) Control and logging of data restoration; (4) Protecting data on storage media leaving the premises; (5) Use of unencrypted portable storage media and devices; (6) Encryption of PII transmitted over public data-transmission networks; (7) Secure disposal of hardcopy materials; (8) Unique use of user IDs; (9) Records of authorized users; (10) User ID management; (11) Contract measures; (12) sub-contracted PII processing; (13) Access to data on pre-used data storage space

11 Privacy compliance 2 Controls – (1) Geographical location of PII; (2) Intended destination of PII

27018 Depth – Extended Controls

ISO 29100 control domains included as

extended controls in ISO 27018

3

What is the Approach for ISO 27018?

• Inclusion into a certified ISMS

• Unaccredited certificate

• Attestation report

• Benchmark assessment

Options

• Initial Certification

• Stage 2 incorporation of ISO 27018

• Statement of applicability acts as a audit road map

• Surveillance / Recertification

• Perform regular maintenance review to ensure continued

conformance and operating effectiveness of the ISMS

• Apply heavier focus on inclusion of ISO 27018

ISMS Option – Initial Certification

• Specifically focus on inclusion of ISO 27018

• Assess relevant elements of ISMS and supplemental /

extended controls

ISMS Option – Scope Expansion

• Included as a part of the scope statement, related to SOA

based on ISO 27018, on accredited 27001 certificate

• Demonstrates active management system that supports

those controls from 27018 (risk assessment, internal audit,

measurement and monitoring, etc.)

• Available on certificate directory

• No unique mark or accredited certificate issued for ISO

ISMS Option – Certificate

• Assessment against controls in ISO 27002 and ISO

27018 (full control assessment)

• Does not require ISO 27001 certification as prerequisite

• Can be performed by any organization at any time

• Deliverable of certificate

• Would not include accreditation body mark (i.e. ANAB or UKAS)

Unaccredited Certificate

• Assessment against controls in ISO 27002 and ISO

27018 (full control assessment – like unaccredited

certificate)

• Does not require ISO 27001 certification as prerequisite

• Can be performed by CPA firm at any time

• Deliverable of attestation report including opinion letter

and assertion letter, system description, and identification

Attestation Report

• Assessment against controls in ISO 27002 and ISO

27018 (full control assessment – like unaccredited

certificate)

• Does not require ISO 27001 certification as prerequisite

• Can be performed by any organization at any time

• Deliverable of assessment report including description of

audit performed and identification of controls in place

Benchmark Assessment

4

How can ISO 27018 be Applied to an ISMS?

• Modify the scope statement as applicable

• Ensure appropriate inclusion through identification of:

• Internal and external issues

• Needs and expectations of interested parties

• Interfaces and dependencies performed by the organization and

those performed by other organization

Design – Scope (Clause 4)

• Identification of supplemental and extended controls

through the risk assessment process

• Controls should be necessary to mitigate risk applicable

to scope

• Apply appropriate treatment if necessary

Design – Risk Assessment (Clause 6)

• Incorporate supplemental / extended controls into the SOA

• Justification of inclusion / exclusion still apply (for entire

related standard)

• Determine if the supplemental / extended control is in place

Design – Statement of Applicability (Clause 6)

• Modify the information security objectives as appropriate

• Ensure to measure any modification to the information

security objectives

Design – Objectives (Clause 6)

• Measure key supplemental / extended controls to ensure

effectiveness

• Ensure appropriate and proper criteria is applied

• Include relevant personnel

Monitoring – Measurement (Clause 9.1)

• Incorporation into audit plan / program

• Assessment of results

• Planned remediation

Monitoring – Internal Audit (Clause 9.2)

5

Market Acceptance of ISO 27018

• Major cloud providers (AWS, Azure, Salesforce, GE

Digital etc.) early adopters

• ISMS inclusion and separate certificates

• CSA incorporation into their Cloud Control Matrix

(CCM)

• General Data Protection Regulation (GDPR)

Market Driven

• Likely to be proportionate to the 27001 growth

(relative to cloud providers)

• 20% globally and 78% in North America from 2014-

2015

• Not market differentiator but market denomitator

ISO 27018 Growth

STAY UP-TO-DATE

www.schellmanco.com