ISO/IEC 27018:2019 provides organizations with the internationally accepted code of practice for the protection of personally identifiable information (PII) in public clouds. Essentially, some more control refinements to and additions on top of ISO/IEC 27002.
Many will know that the Australian Privacy Act is up for its most significant update since 1988 albeit the introduction of the Notifiable Data Breach (NDB) scheme in 2018 was also a pretty big deal. Australia is now playing catch-up to the rest of the world on privacy. At least we're trying now.
ISO publishes guidance on the protection of personally identifiable information (PII) in public clouds encapsulated in ISO/IEC 27018 since 2014 and the most recent version released in 2019. This guidance gives us a good idea of overarching measures to ensure readiness for further legislative change in this space. Let's take a look.
There are 16 controls within ISO/IEC 27001 (specifically the 2013 version) that are modified with the adoption of ISO/IEC 27018 (this equates to 13 if you are using the 2022 version). Naturally, they relate to the likes of policy, training, access management, information handling and incident response.
The ISO/IEC 27001/27002 controls modified by ISO/IEC 27018 are:
1. Policies for information security (previously 5.1.1 now 5.1)
2. Information security roles and responsibilities (previously 6.1.1 now 5.2)
3. Information security awareness, education and training (previously 7.2.2 now 6.3)
4. User access management (previously 9.2 now 5.16)
5. User registration and de-registration (previously 9.2.1 now 5.16)
6. Secure log-on procedures (previously 9.4.2 now 8.5)
7. Policy on the use of cryptographic controls (previously 10.1.1 now 8.24)
8. Secure disposal or re-use of equipment (previously 11.2.7 now 7.14)
9. Separation of development, testing & operational environments (previously 12.1.4 now 8.31)
10. Information backup (previously 12.3.1 now 8.13)
11. Event logging (previously 12.4.1 now 8.15)
12. Protection of log information (previously 12.4.2 now 8.15)
13. Information transfer policies and procedures (previously 13.2.1 now 5.14)
14. Management of information security incidents & improvements (previously 16.1 now 5.24)
15. Responsibilities and procedures (previously 16.1.1 now 5.24)
16. Independent review of information security (previously 18.2.1 now 5.35)
6clicks has long provided functionality and content to support assessments against ISO/IEC 27001 certification requirements as well as implement and maintain your Information Security Management System (ISMS) including making the underlining ISO/IEC 27001 (2013 and 2022) requirements available in the 6clicks Content Library along with assessment templates, and template policies / control sets.
6clicks has now made available ISO/IEC 27018:2019 in the 6clicks Content Library as a "delta" assessment against the 16 modified controls and the 25 additional controls. In addition, 6clicks has also recently made available ISO/IEC 27017:2015 to help those seeking to apply information security for cloud services.