THINGSISO/IEC 27018 - Code of practice for the protection of PII (Personally Identifiable information) in public cloud services for cloud providers - is a guideline for public cloud service providers who want to improve the management of personal data.
The objective of this standard is to provide a structured way, based on privacy by design, to address the main legal issues, both of a legal and contractual nature, related to the management of personal data in IT infrastructures distributed following the public cloud model.
The specific countermeasures introduced by ISO 27018 are based on established international principles regarding privacy. These principles should be used to guide the design, development, implementation, monitoring and measurement of privacy policies and privacy controls in cloud computing services.
Being Guidelines, the ISO/IEC 27018 standard is therefore not certifiable.
Nonetheless, as required by the Accredia circular DC2018SSV022, it is possible to obtain an integration of an existing ISO/IEC 27001 certificate provided it is issued by a recognized certification body.
The integration with ISO 27018 is aimed at demonstrating the Provider's ability to ensure data protection.
CSQA is accredited by ACCREDIA.
KEY POINTSThe additional controls proposed by 27018 refer to the privacy principles of ISO / IEC 29100:
- consent and choice
- legitimacy and purpose specification
- limitation of collection
- data minimization
- use, storage and limits to communication
- accuracy and quality
- openness, transparency and disclosure
- participation and access by individuals
- It helps cloud service providers address applicable legal obligations as well as customer expectations
- Facilitates cloud service contracting
- Improve the transparency and credibility of cloud services
- Increase customer trust