The protection of personally identifiable information (PII) is a global issue that affects everyone. PII being processed by ICT systems can be especially vulnerable to various forms of threats and cyber risks unless adequate and effective protection is implemented.

One area in which the protection of PII has raised concerns is that of PII in the Cloud. A CSP (Cloud Service Provider) that processes PII needs to protect its Cloud service customers PII not only by deploying suitable management and technical controls but it also needs to meet the requirements of the laws and regulations that are applicable to PII.

The exciting news is that ISO has now published a standard ISO/IEC 27018 to help with protecting PII for public cloud computing environments. This standard augments the information security controls from ISO/IEC 27002 to create a common set of controls that may be used by CSPs providing public Cloud services as a PII processor. It should be pointed out that this standard is specifically focused on PII processors and not PII controllers. Of course this standard does not replace the laws and regulations a CSP PII processor must comply with, but provides a common procedural and technical control framework to help those CSPs comply, and will be of great assistance to those CSPs operating in a multinational business environment.

Identifying the PII protection requirements thus involves considering the requirements of appropriate laws and regulations that might apply, contractual obligations, requirements resulting from a risk assessment and a privacy impact assessment, and the organisation’s business requirements, objectives and policy. Once these requirements are known then a set of controls for protecting the PII can be determined and implemented to treat the identified risks.

This standard ISO/IEC 27018 is based on the privacy principles outlined in ISO/IEC 29001 (privacy framework). ISO/IEC 27018 not is based on the reference controls and implementation guidance provided in ISO/IEC 27002 but also provides additional specific public cloud PII protection guidance for implementor’s.

Prof. Edward (Ted) Humphreys
August 2014