Privacy Compliance under ISO 27001 and 27018

ISO 27001 and 27018 refer to the standards for Information Security and Cloud Security promoted by the International Standards Organization. ISO standards carry wide industry acceptance though the proprietary nature of the specifications make it more as a “Best Practice followed voluntarily by the conforming organizations”.

ISO27001 specifies an Information Security Management System containing a set of activities to manage information security risks. ISO 27002 is an associated standard that mandates specific information security controls and are often used along with ISO 27001 framework to manage ISMS in organizations.

Following mandatory documentation is explicitly required for certification by an auditor under ISO 27001.

1. ISMS scope

2. Information security policy

3.Information risk assessment process

4. Information risk treatment process

5. Information security objectives

6. Evidence of the competence of the people working in information security

7. Other ISMS-related documents deemed necessary by the organization

8. Operational planning and control documents

9. The results of the risk assessments

10. The decisions regarding risk treatment

11. Evidence of the monitoring and measurement of information security

12. The ISMS internal audit program and the results of audits conducted

13. Evidence of top management reviews of the ISMS

14. Evidence of nonconformities identified and corrective actions arising

15. Others: Annex A, which is normative, mentions but does not fully specify further documentation including the rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, information security incident response procedures, relevant laws, regulations and contractual obligations plus the associated compliance procedures and information security continuity procedures.

Certification auditors will check that these fifteen types of documentation are (a) present, and (b) fit for purpose.

The standard does not specify precisely what form the documentation should take, but  talks about aspects such as the titles, authors, formats, media, review and approval, document control, etc.

ISO 27001 was meant as means of assessing the information security risks and mitigating them through a formal process. It was not however focussed on regulatory compliance though there is an attempt to extend the ISO 27001 compliance to some legal aspects such as IPR and ITA 2008 to the extent those laws prescribe any technical measures for protecting the Confidentiality, Integrity and Availability of information.

Privacy laws which have similar prescriptions on the manner of protecting the Confidentiality, Integrity and Availability of information (Personal or Sensitive Personal Information) also may be looked at by an auditor as a requirement of the ISMS policy of the organization.

Annexure A of ISO 27001 lists the following security controls

A.5 Information security policies – controls on how the policies are written and reviewed
A.6 Organization of information security – controls on how the responsibilities are assigned; also includes the controls for mobile devices and teleworking
A.7 Human resources security – controls prior to employment, during, and after the employment
A.8 Asset management – controls related to inventory of assets and acceptable use, also for information classification and media handling
A.9 Access control – controls for Access control policy, user access management, system and application access control, and user responsibilities
A.10 Cryptography – controls related to encryption and key management
A.11 Physical and environmental security – controls defining secure areas, entry controls, protection against threats, equipment security, secure disposal, clear desk and clear screen policy, etc.
A.12 Operational security – lots of controls related to management of IT production: change management, capacity management, malware, backup, logging, monitoring, installation, vulnerabilities, etc.
A.13 Communications security – controls related to network security, segregation, network services, transfer of information, messaging, etc.
A.14 System acquisition, development and maintenance – controls defining security requirements and security in development and support processes
A.15 Supplier relationships – controls on what to include in agreements, and how to monitor the suppliers
A.16 Information security incident management – controls for reporting events and weaknesses, defining responsibilities, response procedures, and collection of evidence
A.17 Information security aspects of business continuity management – controls requiring the planning of business continuity, procedures, verification and reviewing, and IT redundancy
A.18 Compliance – controls requiring the identification of applicable laws and regulations, intellectual property protection, personal data protection, and reviews of information security

A18 refers to the controls that an organization need to maintain for complying with the laws related to personal data protection.

ISO 27002 provides the detailed explanation on how to implement the ISO 27001 prescriptions.

ISO 27018

ISO 27018 provides guidance aimed at “Cloud Providers” and offers recommended information security controls to protect the privacy of their customer’s clients by securing PII (Personally Identifiable Information) entrusted to them.

The standard is intended to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001, or as a guidance document for organizations for implementing commonly accepted PII protection controls”

The standard is primarily concerned with public-cloud computing service providers (such as Amazon Web Services and Google’s Compute Engine) acting as PII processors .

It does not officially cover PII principals (i.e. individuals processing their own PII in the cloud, for example using Google Drive) or PII controllers (i.e. cloud service customers processing PII of their clients/customers/employees and others in the cloud), although they clearly share many concerns and have an interest in the cloud service provider’s privacy controls.

The standard interprets rather than duplicates ISO/IEC 27002:2013 in the context of securing personal data processed in the cloud. An annex extends 27002, for example advising cloud service providers to advise their customers if they use sub-contractors.

Annex A of ISO 27018 lists the following additional controls (that do not exist in ISO 27001/27002) that should be implemented in order to increase the level of protection of personal data in the cloud:

  • Rights of the customer to access and delete the data
  • Processing the data only for the purpose for which the customer has provided this data
  • Not using the data for marketing and advertising
  • Deletion of temporary files
  • Notification to the customer in case of a request for data disclosure
  • Recording all the disclosures of personal data
  • Disclosing the information about all the sub-contractors used for processing the personal data
  • Notification to the customer in case of a data breach
  • Document management for cloud policies and procedures
  • Policy for return, transfer and disposal of personal data
  • Confidentiality agreements for individuals who can access personal data
  • Restriction of printing the personal data
  • Procedure for data restoration
  • Authorization for taking the physical media off-site
  • Restriction of usage of media that does not have encryption capability
  • Encrypting data that is transmitted over public networks
  • Destruction of printed media with personal data
  • Usage of unique IDs for cloud customers
  • Records of user access to the cloud
  • Disabling the usage of expired user IDs
  • Specifying the minimum security controls in contracts with customers and subcontractors
  • Deletion of data in storage assigned to other customers
  • Disclosing to the cloud customer in which countries will the data be stored
  • Ensuring the data reaches the destination

More ISO Guidance

ISO/IEC 27000, 27001 and 27002 are cited as ‘normative’ (i.e. essential) standards, along with ISO/IEC 17788 “Cloud computing – overview and vocabulary” and ISO/IEC 29100 “Privacy framework”.

Information on ISO/IEC17788 is available here.

ISO/IEC 29100:2011 provides a privacy framework which specifies a common privacy terminology;
defines the actors and their roles in processing personally identifiable information (PII); describes privacy safeguarding considerations; and provides references to known privacy principles for information technology.

ISO/IEC 29100:2011 is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

More Information on ISO/IEC 29100 is available here

P.S: ISO is an organization that places a price on all information. For this reason, Naavi considers ISO as a close community created for generating revenue in the name of “Standards”. This site does not promote this culture. 

P.S: This page may be updated from time to time with additional information. Discussions on this may also be covered in the articles on the site.