[ Certification Introduction ]

ISO/IEC 27018:2019 is a cloud service PII protection international standard and is an implementation guideline to protect Personally Identification Information (PII) as a PII processors in a public cloud environment.

When an organization establishes and operates an information security management system based on ISO/IEC 27001:2013, ISO/IEC 27018:2019 is consisting of so that introducing and applying standards to organizations through the establishment, implementation, and performance of additional requirements required by ISO/IEC 27001:2013 and ISO/IEC 27018:2019.

<ISO/IEC 27018 Certification Introduction>

It provides implementation guidelines focused on protecting PII, and the structure is as follows.

• •  To establish an information protection management system, it is based on ISO/IEC 27001:2013.
• •  In consideration of regulatory requirements for PII protection applicable within the context of the information security risk environment of public cloud service providers, applied the guidelines based on ISO/IEC 27002:2013.
• •  In accordance with ISO/IEC 29100:2011's personal information protection principles about public cloud computing environments, set control objectives, controls and guidelines for implementing PII protection measures.

[ ISO/IEC 27018:2019 Requirements ]

This standard acts as a trustee of personal information through cloud services under contracts with other organizations and is applicable to organizations of all types and sizes, including public institutions and private enterprises, government agencies and non-profit organizations that provide information processing services.

• Scope
• Normative references
• Terms and Definitions
• Overview
• Information security policies
• Organization of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance

• Annex A Public cloud PII processor extended control set for PII protection

[ The importance of ISO/IEC 27018:2019 ]

• The exponential increase in security incidents over the last few years has seen the protection of PII become a priority.
• This standard can be used as an independent measure when evaluating and comparing privacy controls of potential public cloud service providers.
• For regulators, assess privacy protection based on this standard.
• It offers cloud service providers a way to differentiate their services from the competition.
• It provides common guidelines across different countries, making it easier to do business globally.

[ The necessity of ISO/IEC 27018:2019 ]

• •  Objective evaluation criteria are needed that can mortgage security and reliability, the biggest obstacle of cloud service introduction.
• •  Cloud computing services require security management and evaluation criteria from a different perspective than the existing IT environment within the organization.
• •  As cloud computing services become active, individual and corporate users who use the service can suffer from personal information infringement accidents.
• •  Ensures that risks are identified and controls are in place to manage or reduce them.
• •  Ensures that local regulations are complied with, reducing the risk of fines for data breaches.

[ The effect of ISO/IEC 27018:2019 ]

• •  It can verify that cloud operators have security and reliability through Third-party certification.
• •  Based on the ISO/IEC system, it is able to evaluate the effectiveness of building security controls related to cloud security.
• •  Cloud service operators can provide customers with reliability in protecting cloud information.
• •  By approving the application of best practices to protect personally identifiable information, it can gain a competitive advantage over competitors.
• •  It identifies risks and establishes controls to manage them or reduce their impact.