ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) released a new privacy standard for public cloud computing environments in August of 2014.
This new standard, ISO 27018, joins the family of standards supporting the ISO 27001 standard for establishing and operating an Information Security Management System (ISMS). The standard takes into consideration other compliance requirements for privacy, so it can be used as an agnostic and uniform tool for evaluating privacy controls.
The main ISO 27018 standard lists the ISO 27002 (otherwise known as ISO 27001 Annex A) requirements and any additional requirements for public cloud environments. All of the ISO 27002 controls and the associated implementation guidance apply, and the numbering directly references the ISO 27002 controls. The main section does not introduce any new controls, but instead provides further implementation guidance on 14 of the 114 controls in ISO 27002.
Annex A lists 25 new controls, based on the 11 privacy principles originally identified in ISO 29100. Objective numbers 3 (Collection Limitation), 6 (Accuracy and Quality), and 8 (Individual Participation and Access) do not contain any added controls.
There are two primary reasons that you may be affected by this new standard:
ISO 27018 can help you identify requirements for selecting a cloud provider and defining contractual clauses. However, it’s up to your organization to determine whether all requirements apply to your needs and to evaluate your cloud provider’s assertions against their supporting evidence.
Demonstrating alignment with ISO 27018 can provide you with a unique selling proposition to potential clients. As more clients become familiar with the standard, you may see it routinely integrated with requests for proposal.
The majority of the controls and implementation guidance (26 of the 39) simply overlap with common compliance requirements regarding disclosure, enforcing accountability, and the use of subcontractors; these do not introduce a significant change in requirements. The recommendations are vaguely worded and reference requirements of the compliance framework.
Eight of the requirements specifically reference contractual language that should be in place.
Several cloud providers will be happy to see the implementation guidance for the independent review of information security, which advises that an independent audit selected by the cloud provider is an acceptable lower-risk alternative to audits performed by individual customers.
The most challenging new controls will likely be for scrubbing data from any previous clients using the same space and documenting where PII is stored. This will be a daunting task for those cloud providers that don’t know where their clients’ data is located, although some of them are already tackling these projects because of regulatory requirements.
There is a new control regarding portable media, which seems to be a difficult aspect of privacy for many organizations to manage, although it’s not an innovative one.
Two requirements have to do with retention. ISO does not recommend any specific retention timeframes, but the standard introduces some novel recommendations for the retention of governance, procedures, and logs of system restores.
There are four references to storage media. Although tape backup is still cited as a cause of stolen records, this seems like a proportionately large number of requirements given the increasing use of backup-to-disk in another physical location.
There are two references to hard copy materials, both of which overlap with common privacy compliance requirements. They seem strangely out of place in a list of requirements for cloud services.
The standard aligns closely with existing privacy compliance requirements, including PCI and international privacy laws, so the requirements will be familiar to those already in the space. The novelty and value in 27018 is that there is a single standardized international set of privacy controls that integrate directly with a security framework that many organizations are already using. I foresee this standard being used as supplemental guidance in organizations that already use an ISO-based governance and control framework.