Scribd Logo
Upload

Welcome to Scribd!

  • BCM Adriatic 2015 Neven - Kranjcec

    Uploaded by

    mankrish6314
    28 views14 pages
    ISO 27018 provides a code of practice for protecting personally identifiable information (PII) when public clouds act as PII processors. It collects PII protection requirements from ISO 29100 and security controls from ISO 27002 to create a common set that applies to public cloud computing service providers. The standard is designed for organizations of all types and sizes and facilitates compliance with PII protection principles and applicable legal obligations through contractual agreements and transparency regarding the processing of PII.

    Original Description:

    Bcm Adriatic 2015

    Original Title

    Bcm Adriatic 2015 Neven.kranjcec

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ISO 27018 provides a code of practice for protecting personally identifiable information (PII) when public clouds act as PII processors. It collects PII protection requirements from ISO 29100 and security controls from ISO 27002 to create a common set that applies to public cloud computing service providers. The standard is designed for organizations of all types and sizes and facilitates compliance with PII protection principles and applicable legal obligations through contractual agreements and transparency regarding the processing of PII.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    28 views14 pages

    BCM Adriatic 2015 Neven - Kranjcec

    Uploaded by

    mankrish6314
    ISO 27018 provides a code of practice for protecting personally identifiable information (PII) when public clouds act as PII processors. It collects PII protection requirements from ISO 29100 and security controls from ISO 27002 to create a common set that applies to public cloud computing service providers. The standard is designed for organizations of all types and sizes and facilitates compliance with PII protection principles and applicable legal obligations through contractual agreements and transparency regarding the processing of PII.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 14

    International Standard ISO 27018

    (Data Protection for Public Cloud)

    Neven Kranjčec
    Senior Consultant
    Agenda

    • Introduction
    • Scope of 27018
    • Methodology
    • Context
    • Requirements
    • Structure
    • Principles
    • Sector-specific examples
    • Conclusion
    2
    ISO/IEC 27018
    published in
    2014/08

    • Title
    • Code of practice for PII protection in public
    clouds acting as PII processors
    • PII=Personally Identifiable Information
    • ISO/IEC JTC1 SC27 WG5
    • Information technology, Security techniques,
    Identity management and privacy technologies

    3
    SC 27

    4
    WG5

    5
    Scope

    • Objective
    • To create a common set of security
    categories and controls that apply to a public
    cloud computing service provider
    • To meet the requirements for the protection of
    PII

    6
    Methodology

    • Collecting together PII protection


    requirements according to ISO/IEC 29100
    and the guidance for implementing
    controls given in ISO/IEC 27002
    • Designed for
    • All types and sizes of organizations

    7
    Context

    • A public cloud service provider is a “PII


    processor” when it processes PII for and
    according to the instructions of a cloud
    service customer (controller)
    • “Privacy by Design”
    • “PII lifecycle consideration”
    • Information security risk environment

    8
    Ecosystem

    9
    Requirements

    • Three main sources


    • legal, statutory, regulatory and contractual
    requirements
    • risks
    • corporate policies

    10
    27002 structure

    • Security policies • Communications security


    • Organization of • System acquisition,
    information security development and
    • Human resource security maintenance
    • Supplier relationships
    • Asset management • Information security
    • Access control incident management
    • Cryptography • Information security
    aspects of business
    • Physical and continuity management
    environmental security
    • Compliance
    • Operations security

    11
    29100 principles

    • Consent and choice • Openness, transparency


    • Purpose legitimacy and and notice
    specification • Individual participation
    • Collection limitation and access
    • Data minimization • Accountability
    • Use, retention and • Information security
    disclosure limitation • Privacy compliance
    • Accuracy and quality

    12
    sector-specific examples

    • clearly allocate responsibilities between the


    public cloud PII processor, its sub-
    contractors and the cloud service customer
    • facilitate the exercise of PII principals’ rights
    • ensure purpose specification and limitation
    principles
    • notify data breach
    • specify PII geographical location

    13
    Conclusion

    • comply with applicable obligations


    • be transparent
    • enter into contractual agreement
    • demonstrate effective implementation of
    PII protection
    • do not replace applicable legislation and
    regulations, but can assist
    • complete with standards in progress
    (29151, 29134…)
    14

    You might also like