ISO IEC 27018:2014 pdf free download.Information technology — Security techniques — Code of practice for protection of personally identifiable information (P11) in public clouds acting as P11 processors.
0.1 Background and context
Cloud service providers who process Personally Identifiable InformatIon (P11) under contract to their customers have to operate their services in ways that allow both parties to meet the requirements of applicable legislation and regulations covering the protection of P11. The requirements and the way in which the requirements are divided between the cloud service provider and its customers vary according to legal jurisdiction, and according to the terms of the contract between the cloud service provider and the customer Legislation which governs how P11 Is allowed to be processed (I.e. collected, used, transferred and disposed of) is sometimes referred to as data protection kglslation P11 is sometimes referred to as personal data or personal information The obligations falling on a P11 processor vary from jurisdiction to jur&sdictlon, which makes it challenging for businesses providing cloud computing services to operate mullrnatlonally.
A publicdoud serviceproviderisa’Pl I processor’ when itprocesses P11 forandaccording to the instructions of a cloud service customer. The cloud service customer, who has the contractual relationship with the public cloud P11 processor, can range from a natural person, a ‘P11 principal’, processing his ocher own P11 in the cloud, to an organization, a ‘Pit controller, processIng P11 relating to many P11 principals. The cloud service customer might authorize one or more cloud service users associated with it to use the services made available to it under Its contract with the public cloud P11 processor, Note that the cloud service customer has authority over the processing and use of the data. A cloud service customer who is alsoa P11 controller might be subject to a wider set of obligations governing the protection of P11 than the public cloud P11 processor. Maintaining the distinction between P11 controller and P11 processor relies on the public cloud P11 processor having no data processing objectives other than those set by the cloud service customer with respect to the P11 it processes and the operations necessary to achieve the cloud service customer’s objectives.
NOTE Where the public cloud PIt processor is processing cloud service customer accoun data, it might b acting as a P11 controller for this purpose. This International Standard does nut cover such activity.
The intention of ISO IEC 27018, when used in conjunction with the information security objectives and controls in ISO/IEC 27002, is to create a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a P11 processor. It has the following objectives.
— To help the public cloud service provider to comply with applicable obligations when acting as a P11 processor, whether such obligations fall on the P11 processor directly or through contracL
— To enable the public cloud P11 processor lobe transparent In relevant matters so that cloud service customers can select well-governed cloud-based P11 processing services.
— To assist the cloud service customerand the public cloud PIt processor in entering into a contractual agreement.
— To provide cloud service customers with a mechanism for exercising audit and compliance rights and responsibilities in cases where individual cloud service customer audits of data hosted in a multi•party. virtualized server (cloud) environment might be impractical technically and might Increase risks to those physical and logIcal network security controls In place.
ISO IEC 27018 does not replace applicable legislation and regulations, but can assist by providing a common compliance framework for public cloud service providers, in particular those that operate in a multinational market.
0,2 P11 protectIon controls for publIc cloud computing services
ISO IEC 27018 Is designed for organizations to use as a reference for selecting P11 protection controls within the process of Implementing a cloud computing information security management system based on ISO/IEC 27001, or as a guidance document for implementing commonly accepted P11 protectIon controls for organizations acting as public cloud P11 processors. In particular.
3.1
data breach
compromise olsecurity that leads to the accidental or unbwlul destruction, loss, alteration, unauthorized disclosure of, or access to protected data transmitted, stored or otherwise processed
(SOURCE: ISO/IEC 27O40—’, 3.I
3.2
personally IdentiFIable Information
Pt’
any Information that (a) can be used to identify the P11 principal to whom such information relates, or (b) is or might be directly or indirectly linked to a P11 principal
Mote I to eniry To determine whether a P11 prIncipal Is identifiable. account should be takesi of all the nwans which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to Identify that natural person.
ISOURCE: ISO/IEC 29100:2011.2.91
Note 2 to entry; This definition Is Included to define the term P11 as used In this International Standard, A public cloud P11 processor Is typically not in a position to know explicitly whether Information It processes lalls Into any specified category unless thLs is made transparent by the cloud service customer
3.3
PIt controller
privacy stakeholder (or privacy stakeholders) that determines the purposes and means for processing personally identifiable information (P11) other than natural persons who use data for personal purposes
Mote Ito entry; A P11 controLler sometimes Instructs others (e.g. P11 processors) to process P11 on Its behallwhlle the responsibility for the processing remains with th P11 controller.
(SOURCE: ISO/IEC 29100:2011.2.101
3.4
P11 prIncIpal
natural person to whom the personally Identifiable information (PIt) relates
Mote I to entry; Depending on the lurisdiction and the partIcular P11 protectIon and pnvacy krgslation, the synonym “data subject’ can also be used instead o(the term “P11 principal”.
(SOURCE: ISO/IEC 29100;201 1,2.11)
3.5
PlI processor
privacy stakeholder that processes personally Identifiable information (P11) on behalf of and in accordance with the Instructions ola P11 controller
ISOURCE: ISO/IEC 29100:2011,2.12)
3.6
processing of P11
operation or set of operations performed upon personally identifiable Information (P11)
Note I to entry Examples of processi rig operations of P11 Include, but are not limited to, the collection, storage, alteration, rrtrleval, consultation, disclosure, anonymization, pseudonymlzatlon, dissemination or otherwise making available, deletion or destruction of PIP.
16.1.5 Response to Information security incidents
Control 16.1.5 and the associated implementation guidance and other information specified in
ISO/IEC 27002 apply.
16.1.6 LearnIng from information security Incidents
Control 16.1.6 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply.
16.1.7 Collection of evidence
Control 16.1.7 and the associated implementation guidance and other information specified in
ISO/EEC 27002 apply.
17 Information security aspects of business continuity management
The obfectlves specified In, and the contents of, ISO/IEC 27002:2013. Clause 17 apply.
18 Compliance
18.1 Compliance with legal and contractual requirements
The objective specified in, and the contents of. ISO/fEC 27002:2013. 18.1 apply.
P40Th Additional controls and guidance relevant to compliance with legal and contractual rruirc1ncnts can
beIouiidlnLjj.
18.2 InformatIon security reviews
rhe objective specified In ISO/JEC 27002:2013, 18.2 applies.
182.1 Independent review of Information security
Control 18.2.1 and the associated implementation guidance and other information specified in 150/ IEC 27002 apply. The following sector’speclflc guidance also applies,
Public cloud P11 protectIon implementation guidance
In cases where individual cloud service customer audits are impractical or may increase risks to security (see 0.1), the public cloud P11 processor should make available to prospective cloud service customers, prior to entering into, and for the duration of, a contract, independent evidence that Information security is implemented and operated in accordance with the public cloud P11 processor’s policies and procedures. A relevant Independent audit as selected by the public cloud P11 processor should normally bean acceptable method for fulfilling the cloud service customer’s Interest In reviewing the public cloud P11 processol”s processing operations, provided sufficient transparency is provided.
18.2.2 ComplIance with security policies and standards
Control 18.2.2 and the associated Implementation guidance and other information specified in ISO! EEC 27002 apply.
18.2.3 TechnIcal compliance review
Control 18.2.3 and the associated implementation guidance and other information specified in ISO/IEC 27002 apply.