What is ISO/IEC 27018:2019
ISO/IEC 27018:2019 provides organizations with the internationally accepted code of practice for the protection of personally identifiable information (PII) in public clouds. Essentially, some more control refinements to and additions on top of ISO/IEC 27002.
Many will know that the Australian Privacy Act is up for its most significant update since 1988 albeit the introduction of the Notifiable Data Breach (NDB) scheme in 2018 was also a pretty big deal. Australia is now playing catch-up to the rest of the world on privacy. At least we're trying now.
ISO publishes guidance on the protection of personally identifiable information (PII) in public clouds encapsulated in ISO/IEC 27018 since 2014 and the most recent version released in 2019. This guidance gives us a good idea of overarching measures to ensure readiness for further legislative change in this space. Let's take a look.
Refinements of ISO/IEC 27001 controls and ISO/IEC 27002 guidance
There are 16 controls within ISO/IEC 27001 (specifically the 2013 version) that are modified with the adoption of ISO/IEC 27018 (this equates to 13 if you are using the 2022 version). Naturally, they relate to the likes of policy, training, access management, information handling and incident response.
The ISO/IEC 27001/27002 controls modified by ISO/IEC 27018 are:
1. Policies for information security (previously 5.1.1 now 5.1)
2. Information security roles and responsibilities (previously 6.1.1 now 5.2)
3. Information security awareness, education and training (previously 7.2.2 now 6.3)
4. User access management (previously 9.2 now 5.16)
5. User registration and de-registration (previously 9.2.1 now 5.16)
6. Secure log-on procedures (previously 9.4.2 now 8.5)
7. Policy on the use of cryptographic controls (previously 10.1.1 now 8.24)
8. Secure disposal or re-use of equipment (previously 11.2.7 now 7.14)
9. Separation of development, testing & operational environments (previously 12.1.4 now 8.31)
10. Information backup (previously 12.3.1 now 8.13)
11. Event logging (previously 12.4.1 now 8.15)
12. Protection of log information (previously 12.4.2 now 8.15)
13. Information transfer policies and procedures (previously 13.2.1 now 5.14)
14. Management of information security incidents & improvements (previously 16.1 now 5.24)
15. Responsibilities and procedures (previously 16.1.1 now 5.24)
16. Independent review of information security (previously 18.2.1 now 5.35)
New controls in ISO/IEC 27018 required for protection of PII
Despite ISO/IEC 27001:2022 adding a couple of new controls to address privacy (namely, 8.10 Information deletion and 8.11 Data masking), there is more to be done to address the protection of PII more fully. ISO/IEC 27018 therefore includes its very own Annex with 25 additional privacy specific controls.They additional controls introduced by ISO/IEC 27018 are:
1. Obligation to co-operate regarding PII principals' rights (A.2.1)
2. Public cloud PII processor's purpose (A.3.1)
3. Public cloud PII processor's commercial use (A.3.2)
4. Secure erasure of temporary files (A.5.1)
5. PII disclosure notification (A.6.1)
6. Recording of PII disclosures (A.6.2)
7. Disclosure of sub-contracted PII processing (A.8.1)
8. Notification of a data breach involving PII (A.10.1)
9. Retention period for administrative security policies and guidelines (A.10.2)
10. PII return, transfer and disposal (A.10.3)
11. Confidentiality or non-disclosure agreements (A.11.1)
12. Restriction of the creation of hardcopy material (A.11.2)
13. Control and logging of data restoration (A.11.3)
14. Protecting data on storage media leaving the premises (A.11.4)
15. Use of unencrypted portable storage media and devices (A.11.5)
16. Encryption of PII transmitted over public data-transmission networks (A.11.6)
17. Secure disposal of hardcopy materials (A.11.7)
18. Unique use of user IDs (A.11.8)
19. Records of authorized users (A.11.9)
20. User ID management (A.11.10)
21. Contract measures (A.11.11)
22. Sub-contracted PII processing (A.11.12)
23. Access to data on pre-used data storage space (A.11.13)
24. Geographical location of PII (A.12.1)
25. Intended destination of PII (A.12.2)
How can 6clicks help with ISO/IEC 27018:2019?
6clicks has long provided functionality and content to support assessments against ISO/IEC 27001 certification requirements as well as implement and maintain your Information Security Management System (ISMS) including making the underlining ISO/IEC 27001 (2013 and 2022) requirements available in the 6clicks Content Library along with assessment templates, and template policies / control sets.
6clicks has now made available ISO/IEC 27018:2019 in the 6clicks Content Library as a "delta" assessment against the 16 modified controls and the 25 additional controls. In addition, 6clicks has also recently made available ISO/IEC 27017:2015 to help those seeking to apply information security for cloud services.
Written by Andrew Robinson
Andrew started his career in the startup world and went on to perform in cyber and information security advisory roles for the Australian Federal Government and several Victorian Government entities. Andrew has a Masters in Policing, Intelligence and Counter-Terrorism (PICT) specialising in Cyber Security and holds IRAP, ISO 27001 LA, CISSP, CISM and SCF certifications.