ISO/IEC 27018 — Information technology — Security techniques —
Code of practice for PII protection in public clouds acting as PII processors (DRAFT)
This standard will provide guidance aimed at ensuring that cloud computing services incorporate suitable information security controls to protect the privacy of PII (Personally Identifiable Information) entrusted to them by customers.
The standard will be accompanied by ISO/IEC 27017 covering the wider information security angles.
The project has widespread support from national standards bodies plus the Cloud Security Alliance.
Scope and purpose
The standard intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001, or as a guidance document for organizations for implementing commonly accepted PII protection controls” [quoted from the DIS version].
The standard will not duplicate ISO/IEC 27002 but interpret it in the context of securing personal data processed in the cloud. It is based directly on the 2013 updated version of 27002.
ISO/IEC 27000, 27001 and 27002 are cited as ‘normative’ (essential) standards, plus ISO/IEC 29100 “Privacy framework”.
Status of the standard
The standard is at DIS stage and has a new title (see above), with the unexpanded abbreviations for Personally Identifiable Information.
It looks likely to be published in 2014.
The standard is similar in style to ISO/IEC 27015 (the information security management guidelines for financial services) in that it builds on ISO/IEC 27002, expanding on 27002’s generic advice in a few areas, and referring to the OECD privacy principles that are enshrined in several privacy laws and regulations. In most sections, it simply says “The objectives specified in, and the contents of, clause [whatever] of ISO/IEC 27002 apply.” The expansions or additions are pretty straightforward.