ISO 27001 or ISO 27018?

I need to ask you the following question. A particular client is very interested of deploying  a particular policy for his business. Presently he only offers a SAAS (Software as a Service) and therefore I would like to know if the ISO 27001 or 27018 will be appropriate for such a business policy.

Answer:

I think this is both marketing and security question.

From the marketing point of view, your client needs to assess which standard brings them more benefits - although, you have to bear in mind that you can get certified against ISO 27001 but not against ISO 27018; you can only claim compliance with ISO 27018 without third-party confirmation.

From the security point of view, ISO 27018 does not introduce any new controls - it simply provides additional guidance for existing controls in ISO 27001/ISO 27002. Since ISO 27018 provides only a list of controls without giving you a clue on how to manage your securi ty, it is limited in its scope the same way as ISO 27002 (see the explanation here: ISO 27001 vs ISO 27002: https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/).

So basically you have 3 options:

1) Implement ISO 27018 only - you won't get certified and won't know how to manage the security, but you will have technical controls focused on the cloud

2) Implement ISO 27001 only - you will get certified and know how to manage your security, but you won't have the technical controls focused on the cloud

3) Implement both ISO 27001 and ISO 27018 - actually it's rather easy because ISO 27018 is a complement to ISO 27001/ISO 27002, and you'll get the best out of both standards.