Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

This standard provides guidance aimed at ensuring that cloud service providers (such as Amazon and Google) offer suitable information security controls to protect the privacy of their customers clients by securing Personally Identifiable Information entrusted to them.

The standard will be followed by ISO/IEC 27017 covering the wider information security angles of cloud computing, other than privacy.

The project had widespread support from national standards bodies plus the Cloud Security Alliance.

The standard is primarily concerned with public-cloud computing service providers acting as PII processors . “A public cloud service provider is a ‘PII processor’ when it processes PII for and according to the instructions of a cloud service customer” [from the DIS version]. It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls.

ISO 27018 Certification – Benefits

• Inspires trust in your business – provides greater reassurance to your customers and stakeholders that personal data and information is protected.
• Reduces risks – ensures that risks are identified and controls are in place to manage or reduce them.
• Helps grow your business – provides common guidelines across different countries, making it easier to do business globally and gain access as a preferred supplier.
• Win customer trust
• Protects against fines – ensures that local regulations are complied with reducing the risk of fines for data breaches.
• Protects your brand reputation – reduces the risk of adverse publicity due to data breaches.