ISO 27018 Standard - protection of personally identifiable information (PII) in public cloud computing.
In the time that cloud computing techniques are spreading and expanding very fast in all companies and institutions around the world because of the multiple features it provides (which, according to a study of PWC, the cloud computing spending rate has been increasing to 37% in 2020) and this raise leads to increase the cyberattacks.
This makes control and transparency issues represent a permeation, and raise the customer’s concerns about protecting their information and privacy before deciding to use cloud computing as a solution, this because many customers don’t know how to develop cloud computing, lack the necessary information on how the service providers process their information within the cloud and what happens in case they want to switch from one service providers to another or the service provider terminate the service or change terms and policies.
So, the International Organization of Standardization (ISO) and International Electronically Commission (IEC) have been developed international standard contribute to protecting the personal information within the cloud. It includes ISO 27018, the standard specified of Personally Identifiable Information (PII) in public cloud computing.
Before defining ISO/IEC 17018, we must clarify that personally Identifiable Information (PII) is the information that can identify a specific person and distinguished one person from another. For example person’s full name, his nationality number, his passport number, and his picture… and so many other.
ISO/IEC 27018 is an international standard that provides a set of guidelines to protect the public cloud computing services providers who is processes the customer ID information and provide a set of controls the cloud computing providers have to implement to protect customers Personally Identifiable Information PII consistent with the principles of privacy.
The standard aimed to process public cloud computing providers risks, help to build confidence between cloud computing providers and their customers and he provides a set of controls the cloud computing providers have to implement to process the specific risk and provide guidelines about what the cloud computing providers need to achieve in terms of contractual and regulatory obligations.
ISO 28018 consider an auditable and verifiable standard.
A study of Brays Waiter House Coopers that indicates 85% of customers will no make commercial relations or transactions with any company when they have fears about their security practices. Simply, complying with ISO 27018 forms a competitive advantage to all cloud computing providers and their customers. As follows:
- Increase the customer and stakeholder’s confidence about their information and their personal information are protected according to international best practices.
- Give you a competitive advantage over your competitors by approving that you apply the best practices to protect personal information.
- Protect your brand- reduce risks of negative publicity caused by data violations.
- Reduce risks: identify risks and establish controls to manage them or reduce their impact.
- Protection from legal penalties, which the standard ensures complying with the local regulation they reduce penalties of information violation risks.
- Help your business to grow, standard provides international mutual controls, which make your business grow and your future expanding process easy in any country.
- The standard used by cloud computing providers as a guide to tell their current and potential customers that their information is protected by the best ways and will not be used for any purpose without their consent.
- Acceptance: the cloud computing providers MUST not using any of the customer’s personal information for advertising and marketing unless they explicitly formed this.
- The customer must be able to use the service without needing to accept any conditions or policies that force them to use their information for advertising or marketing purposes.
- The customer has full control of his information: the customers have full control of how service providers using their information.
- Transparency: the cloud computing providers should notify customers of their information place and notifying them if you are collaborating with a third party to process the customer’s personal information.
- Make sure that you have the policy to throw unused information out. For example, one of your customers ended work with your agreement, you have to plan to throw his information out or return it.
- Cloud computing providers should file a comprehensive report of any security incident they encounter, in addition, must notify the customer of the necessary steps they have to do to protect their information.
- Compliance to audit the third-party constantly.
- Must sure that every employee in your company and have the alliance to access customers’ information, governed by a nondisclosure agreement.
ISO 27018 has published for the first time in 2014 under the name of ISO/IEC 27018:2014 and it’s last revised in 2019 this version was published in the new name ISO/IEC 27018:2019.
There are a few differences between these two versions, and there is nothing changed in the practices mentioned to protect information. This is what ISO organization confirmed in the 2019 version document, which section two of the document states that “the second version supersedes and replaces the first version (ISO/IEC 27018:2014), and the new revised comes to correct an editorial error in the first version”.
Standard identifies the guiding controls and principles to implement security measures to protect the personally identifiable information PII in a public cloud computing environment.
These controls are applied in all facility types and sizes, including public and private companies, governmental institutions, and nonprofit organizations, this processing the customer’s personal information through the cloud computing services they provide.
ISO/IEC 27018:2018:2019 contains 18 sections plus long supplement, converging:
- Standard references.
- Concepts and defamations.
- General aspects.
- Information security policies.
- Regulate information security.
- Assets management.
- Access authority administration.
- Human resource security.
- Physical and environmental security.
- Operational security.
- Communications security.
- System establishment, development, and maintenance.
- Suppliers’ relation.
- Manage the information security incident.
- Information security aspects of business continuity management.
The failure to comply with regular and correct practices and constructional compliance can lead to endangering the organization to the risks of sanctions and measures of an operational nature. For example, not limits: Stopping company activities and deny them of continuity providing their services.
In addition, the risks of damaging the public image and reputation of the brand towards customers, partners, and stakeholders (statistics indicates that 65% to 80% of customers lose confidence in a company that has been exposed to a security breach and data disclosure).
Also, expensive costs to implement necessary corrective procedures (A study of IBM in 2020 indicates the information breach costs are worth at 3.85$ billion- approximately).
Renad Al Majd company is considered one of the first companies they successfully implement the ISO 27018 standard and introduce it to the facilities in the kingdom of Saudi Arabia. Where it offers a distinct set of services:
- Make a gap analysis to help identify your organizational strengths and weaknesses and provide appropriate recommendation
- Provide ISO 27018 consultations- we have a team consists of+60 consultants and experts in different fields to help you implementing and applying ISO 27018 standard.
- Make Internal Audit Processes- we can help you to plan and make Internal Audit Processes to check on your compliance to ISO 27018 standard.
- Designing and implementing security controls and policies: this stage includes formulate policies that can implement and provide appropriate support.
- We can provide support during external audit operations conducted by certification bodies.
- Rehabilitation and recruitment services for security cadres and establishing electronic security departments and offices.
- Providing awareness sessions and training courses
- Providing awareness sessions and training courses on cloud security; To transfer the knowledge and enhance the skills of employees.
- Insulation and commissioning of security solutions (physical and electronic).
- Formulate an appropriate response methodology and set up a system for reporting security incidents related to cloud services.
- When you request the services of RMG company, you will have the opportunity to benefit from +60 consultants and experts in the fields of cybersecurity, information technology, and international quality standard.
- The company is characterized by flexibility, the accuracy of implementation, and rapid results; Being aware of the deep dimensions of the axes and indicators contained in the document.
- We have expert working teams in the areas of penetration testing, vulnerability assessment, and vulnerability analysis.
- We have long experience in different business sectors, such as retail, healthcare, industry, education, and service sectors.
- Because security incidents need a quick reaction, we have a support center that works continuously (24/7); To be able to always provide appropriate support without interruption.
- Our work is based on the principle of transparency first, as we provide detailed work plans before we start implementing the project.
- We are committed – during all phases of project implementation – to all applicable regulations and rules in the Kingdom about safety, health, and the environment.
- We have a project management office that does all project coordination and supervision.