ISO 27018 Audit & Implementation

ISO/IEC 27018 is a code of practice for protecting Personally Identifiable Information (PII) in public cloud services. It provides guidelines and controls for processing PII by Cloud Service Providers (CSPs).

The standard focuses on the protection of privacy in the cloud and is an extension of the ISO/IEC 27001 Information Security Management System (ISMS) standard.

Core Objectives

• Helps the public cloud PII processor carry out their responsibilities, particularly if they are contracted to provide public cloud services
• Makes the procedure more accessible so that prospective cloud service users can get secure, well-managed cloud-based PII processing services
• Assists customers and cloud providers draft contracts for the management of personally identifiable information
• Offers cloud service customers an audit and compliance procedure

Deliverables

• Identifying and establishing the organization's context, including its internal, external, and risk management contexts
• Identifying all interested parties and their needs (such as clients, partners, suppliers, and shareholders, but also possible entities like the families of employees, the local community, the media, and government agencies, etc.)
• Ensures that the organization has a robust data protection and privacy management system in place
• Implements policies, procedures, and controls to manage and protect PII throughout its lifecycle
• Verifies that the organization complies with relevant data protection laws and regulations, as well as contractual obligations related to privacy in the cloud
• Ensures that individuals are informed about the collection, processing, and storage of their PII in the cloud
• Authenticates that the organization obtains and manages consent appropriately and provides transparency in its data processing activities
• Confirms that mechanisms are in place for individuals to exercise their rights regarding their PII, such as the right to access, correct, delete, or restrict processing
• Evaluates the implementation of security controls to protect PII against unauthorized access, disclosure, alteration, and destruction
• Confirms that there are procedures for notifying relevant parties, including data subjects and authorities, in the event of a data breach
• Assesses the management of third-party relationships, including cloud service providers, to ensure that they adhere to ISO 27018 requirements
• Collection of evidence
• Reviewing and updating documentation, including security policies, procedures, and risk assessments, to ensure compliance with ISO 27018
• Proving in-house Awareness Training
• Conducting internal audit & MRM
• Guiding in establishing a framework for continuous improvement, helping organizations monitor and enhance their privacy practices over time
• Assisting the organization in executing remedial and preventive measures
• Holding off until the certifying body issues the final certification