ISO 27018: 2019 Revision

ISO 27018:2019 revision

As progressive organizations become more reliant on cloud-based technology and implementing data-based solutions, information security management is becoming more and more important.

The ISO 27000 series is a family of standards that provide best practice guidelines for information security management. The standards are published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

The ISO 27000 standards can be used to help organizations manage the security of assets such as financial information, intellectual property and personally identifiable information (PII).

ISO 27018 and 27001 are standards that are used to help cloud service providers adhere to best practices for handling data. ISO 27001 is an earlier information security management system (ISMS) Standard, while 27018 is an updated framework that focuses more specifically on PII.

A revision to ISO 27018 was published last year – what do you need to know about this revision, and do you need to be ISO 27018 compliant? Let’s take a look.

What Changed With the 2019 Revision to ISO 27018?

ISO 27018 was first released in 2014, followed by a revision in 2019. The field of information technology and data protection is ever evolving and there have been major changes to the landscape since 2014, most notably the introduction of the European General Data Protection Regulation (GDPR) and California’s sweeping legislation, the CCPA

However, the changes in the 2019 revision of ISO 27018 are mostly minor.

Along with some small wording updates, the main change is the classification of 27018 changing from an “International Standard” to a “Document”. This reflects the fact that 27018 is not actually a standard that organizations can be certified against. Rather, it’s a set of controls and guidelines for protecting PII in the cloud that should be used to augment organizations’ overall information security management systems.

If your organization is already basing its cloud-based PII protection on ISO 27018 guidelines, it’s unlikely you’ll need to completely update your processes or practices.

ISO 27018 vs. 27001

ISO 27001 is a comprehensive standard that provides organizations with an overall framework for information security management for cloud service providers, encompassing a wide variety of security controls, guidelines and best practices. It’s an International Standard that organizations can be certified against, whereas 27018 is only a document.

Organizations that provide cloud services can use ISO 27001 to develop their overarching information security management system, while 27018 provides more specific guidelines for implementing protections for PII in the cloud.

If your company delivers any kind of service in the cloud, ISO 27001 is a globally recognized certification to aim for. Additionally, if your cloud services process any kind of PII, it is recommended you implement both 27001 and 27018 to comply with information security best practices.

Why be ISO 27018 Compliant

Compliance with ISO 27018 ensures your organisation is best placed to adhere to local and international privacy and data security regulations and mitigate any risks associate with processing PII through the cloud – to both you and your customers.

Knowing that you are compliant with the standard for PII security and that you adhere to best practices will give your customers confidence in your organisation and your ability to safely handle their data.

Being a global standard, it makes doing business internationally easier, as the guidelines are the same in every country.

Being compliant with 27018 may also streamline contract negotiations and provide your organization with greater legal protection. You can point to your compliance with the prevailing standard when answering questions about your PII practices during negotiations, and it may be beneficial from a legal standpoint in the event of a data breach.

Manage Your Compliance

There are dedicated software tools available to manage your organization’s compliance with the ISO 27000  family, which are specific to the standard and require training to use properly.

A more efficient alternative is using a governance, risk and compliance (GRC) tool that can manage all of your organization’s compliance needs, and be applied to any standard. Rather than requiring separate tools for separate standards, everything can be managed from the one centralized and integrated platform, streamlining processes and creating a single source of truth.

With consumer data privacy becoming a bigger and bigger issue worldwide, it’s more important than ever to ensure your organization is properly protecting PII in the cloud.

The 2019 revision to ISO 27018 clarifies that it is a document of controls and guidelines for PII protection, rather than an International Standard that organizations can be certified against. However, its vitally important that CSP’s that process PII have strict security measures in place and a great way to do that is to follow the ISO27018 document, and be ISO 27001 certified.

Compliance with 27018 will give your customers greater confidence, make it easier to do business internationally, streamline contract negotiations and provide greater legal protections to your business.