ISO 27018:2014 for protection of personally identifiable information

Protection of personally identifiable information (PII) in public clouds

The ISO 27001 standard is an organizational information security management model, while taking appropriate measures to protect and effectively manage the organization’s sensitive information.

The ISO 27018 standard expands the ISO 27001 standard and adds information and special requirements for information security management at cloud-based companies, in order to secure and protect their databases stored in the cloud.

Special requirements of ISO 27018

The ISO 27018 standard places special emphasis on and expands the operation section of ISO 27001, with special emphasis on issues of separation of environments (development, production, testing), QA testing database security, backup and recovery processes, processes for handling and dealing with information security events etc.  In addition, the standard requires additional controls, as follows:

  • definition of information security requirements under agreements with clients and/or third parties with regard to cloud services;
  • Control of client access to the cloud, including access rights to delete/modify data in the databases;
  • Ensuring the privacy of databases stored in the cloud;
  • Ensuring nonuse of databases for advertising and marketing purposes;
  • Complying with the requirements of laws, regulations and regulatory requirements regarding the location of the cloud;
  • Example: compliance with the requirements of the Ministry of Health for the storage of medical databases in the cloud in Israel only.
  • Control of data leakage;
  • Separation of databases of different clients who use the cloud;
  • Control data processing with an emphasis on deleting temporary files;
  • Management of third parties and/or suppliers with access to databases;
  • Data recovery processes;
  • Data backup processes in a secondary site/extraction of databases on physical media;
  • Use of encrypted/secure communications;
  • Data encryption and use of secure communications.

Why should your organization upgrade its working processes to comply with the standard and obtain formal certification?

Working in accordance with the ISO 27018 standard …

  • Increases the sense of security among the company's clients and enhances the company's reputation
  • Upgrades the management and security of the organization’s databases and information systems on the cloud
  • Prevents leakage of sensitive corporate information (business data, client data, etc.)
  • Reduces expenses for damages related to security incidents, and loss or unavailability of information
  • Develops business continuity and disaster recovery capability
  • Identifies existing information security risks and builds a prevention plan

As part of the establishment of an information security management system, it is the organization’s responsibility to:

  • Define the organization’s information security policy;
  • Identify, evaluate and control information security risks, including defining activities to prevent their realization;
  • Define procedures and rules to prevent information leakage and information security requirements within the organization’s information systems;
  • Draft the organization’s information security procedures;
  • If the organization is ISO 9001 certified, we recommend adapting the organization’s quality procedures to the requirements of both standards, thereby creating procedures of an integrated quality system.
  • Define information security requirements and guidelines within the organization’s internal procedures
  • Define information security objectives and metrics;
  • Define activities for continuous improvement and the definition of information security as part of organizational culture.
  • Carry out internal audits in preparation for certification audits by a certifying body
  • Conduct management reviews in accordance with the requirements of the standard.

The consultancy process for ISO 27001 and ISO 27018 certification

The process begins with meetings with key people at the organization in order for us to learn how you work at your organization. We characterize the work processes with you and develop the procedures, work instructions and forms and, in cooperation with your representative; we identify the information security risks. The company’s procedures that are developed are approved by a representative of the organization’s management. Once the procedures have been approved, we help you integrate them at the organization. The integration process may include, according to your needs, trainings, internal audits, preparation and participation in a quality management review, and more. We guarantee that at the end of the consultancy process, you will successfully pass an objective audit by one of the organizations authorized to audit compliance with the.

Want us to do this for you?

Call Orna at 053-7739018 or fill in your details: