About ISO 27018
ISO/IEC 27018 is a unique information technology code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. The cloud offers organizations and consumers a variety of benefits: cost savings, flexibility and mobile access to information top the list. It also raises concerns about data protection and privacy; particularly around personally identifiable information (PII).
PII includes any piece of information that can identify a specific user. The more obvious examples include names and contact details or your mother’s maiden name. But elements that people may not readily think of are medical records, IP addresses and banking statements.
Used with ISO/IEC 27001, ISO/IEC 27018 has been published to allow Cloud Service Providers whose infrastructure is certified to the standard to tell their existing and potential customers that their data is safeguarded and won’t be used for any purposes for which they don’t specifically give consent.
The standard provides cloud-based guidance on cloud controls that address the following:
- Who is responsible for what between the cloud service provider and the cloud customer
- The removal/return of assets when a contract is terminated
- Administrative operations and procedures associated with the cloud environment
- Cloud customer monitoring of activity within the cloud
If you work for a cloud service provider or are looking to move your business to the cloud, the Lazarus Alliance ISO 27018 certification will benefit your organization.
The benefits of ISO 27018 certification can be summarized as follows:
- Independent verification that your organization’s ISMS conforms to the requirements of the internationally recognized and accepted ISO 27001 information security standard
- Builds trust in managing personal information and provides greater reassurance to your customers and stakeholders that data and information is protected
- Reduces the risk of adverse publicity due to data breaches.
- Gain significant advantage over competitors who do not have a certified ISMS or be the first to market with an ISMS that is certified to ISO 27001 and ISO 27017
- Achieve cost savings by utilizing a centrally managed ISO 27001 certified ISMS that can form the core of various compliance efforts, including NIST 800-53, HIPAA, EUCS, SOC 2, Sarbanes-Oxley and more
- Ensures that local regulations are complied with, reducing the risk of fines for data breaches
- Reduces complexity by integrating with the leading information security standard ISO/IEC 27001
- Provides common guidelines across different countries, making it easier to do business globally and gain access as a preferred supplier
Scoping of the ISO 27018
The ISO 27018 standard does not define a particular scope required for the ISMS, however a critical component of the certification process is determining the scope of the review. The ISMS scope is determined by the organization itself and can include a specific application or service of the organization, or the organization as a whole. For the ISO 27018, this is defined by your existing ISO 27001 certification.
Contact us for more information
ISO 27018 Certification Process
Assuming that you have already been certified to ISO 27001, the initial audit, certification and maintenance process has several stages:
- Initial Certification Review - Stage 1
The initial certification audit consists of a policy and process review of your existing ISO 27001 ISMS, to determine the readiness of your ISMS framework to undergo the full audit in Stage 2 of the certification review. This review would include inspection of all client documents required by the standard.
- Initial Certification Review - Stage 2
The second stage of the initial certification audit includes in-depth testing to determine that the ISMS framework has been implemented appropriately and is monitored and maintained per the ISO 27018 standard requirements and internal policies and procedures. This stage is performed at the client location, or multiple locations, if required by the scope of the ISMS. At the end of this Second Stage, Lazarus Alliance will determine whether it will issue ISO 27018 Certification to the client. There may also be gaps identified that will need to be addressed before certification can be provided.
- Surveillance Audit Stage
ISO 27018 certification is valid for a three-year term, during which time surveillance audits are required to be completed at a minimum on an annual basis. During the surveillance audits, Lazarus Alliance will conduct a brief onsite review to determine if any significant or relevant changes have been made to the ISMS, as well as perform limited testing to confirm that the organization is continuing to follow the framework and controls identified in the original certification of the ISMS.
- Re-Certification Stage
Before the expiry of the initial three-year certification term and in subsequent cycles, full re-certification audits will be performed by Lazarus Alliance, to ensure continuity of your certification. The scope of this review and audit will depend on the findings of the surveillance audits and information determined in Stage 1 of the re-certification review.
- Audit Timing
The required time for the overall certification process is strongly dependent on the extent to which the organization's Management System is in conformance to the requirements of the ISO 27001 and ISO 27018 standards. Some organizations might be able to obtain certification within a few months of the beginning of the certification review, whereas other more complex organizations and systems may require up to a year to obtain certification.
Lazarus Alliance Certification Services
As an accredited Certification Body (CB), Lazarus Alliance cannot provide any professional consulting services to assist in the design, selection, or implementation of controls to meet the ISO 27018 requirements. We are however able to provide the following services in addition to full audit and certification:
ISO 27018 Certification Pre-Assessment
A formal Readiness Assessment is not a requirement of certification to the ISO/IEC 27018 Standard, but it can be helpful in assisting organizations in the process of getting properly prepared for initial certification. The intention of the assessment is to save the organization time and money by identifying deficiencies in its Information Security Management System (ISMS) before seeking Certification to the ISO/IEC 27018 Standard.
Many organizations have found this to be an important step in the process of preparing the organization for the formal Certification Audit.
In the pre-assessment, Lazarus Alliance will perform a high-level review of your intended scope, policies, procedures, and control processes to identify gaps in the conformity of your proposed ISMS to the ISO/IEC 27018 Standard. The assessment will provide a comparison between all requirements of the Standard and the processes, procedures and controls you have in place for the design, implementation, operation, and maintenance of your ISMS. The result will be a report providing clarity on the deficiencies that will need to be addressed before a formal Certification Audit should be attempted.
For organizations considering an ISO 27017 certification, the following steps should be considered:
- Please contact us to better understand the requirements and process for certification.
- Purchase all applicable ISO 27018 series standards which best align with an organization's goals or needs, or utilize a reputable industry GRC solution, such as the Continuum GRC SaaS, which is the first and only FedRAMP Authorized assessment solution in the world.
- Perform gap analyses either internally or utilizing our services outlined above.
- Develop a plan for remediation, implementation, and certification.
Also, for additional information on Lazarus Alliance, please see our ISO 27018 business policy page.